Microsoft on July 14 patched a high-severity information disclosure flaw in the Windows Secure Channel (Schannel) component that handles TLS and SSL encryption. The bug, tracked as CVE-2026-56186 and rated 8.1 on the CVSS scale, can allow an attacker with low-level access to read sensitive data from memory over a network. The fix arrived in the July cumulative updates for all supported Windows versions, making it an immediate priority for patch management rather than a routine monthly item.

What the vulnerability actually does

The vulnerability is an out-of-bounds read (CWE-125) in the Windows implementation of TLS/SSL. Schannel is the built-in security provider that Windows applications and services rely on for encrypted communications—think HTTPS traffic, service-to-service authentication, and any network connection secured by TLS. An attacker who already has some level of authorized access on a system can exploit the flaw to read memory contents that should be off-limits, potentially exposing credentials, session tokens, or other sensitive data.

The CVSS vector tells a more nuanced story: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. The attack is network-based, needs no user interaction, and is of low complexity. But crucially, it requires low privileges—not anonymous unauthenticated access. Still, the impact on confidentiality is rated high, and the availability impact is also high, suggesting the out-of-bounds read could destabilize a process or service, causing crashes or denial-of-service. That makes it more than a simple information leak.

Microsoft’s advisory is intentionally sparse: it does not specify which protocol versions are affected, the exact code path, or what data could be disclosed. That restraint is standard for initial disclosures, but it means administrators should not underestimate the scope. Because Schannel underpins so many critical Windows functions—from IIS web servers to RDP, Active Directory authentication, and even Windows Update itself—a flaw here has broad exposure.

Who’s affected and how to check your build

The affected product list is extensive: Windows 10 (21H2, 22H2, and older LTSC/ESU editions), Windows 11 (24H2 and 25H2), and all supported Windows Server versions from 2016 through 2025. Systems that are out of support without Extended Security Updates are not receiving patches, but organizations running ESU-covered Server 2012 and 2012 R2 are also in scope.

The cleanest way to confirm remediation is by checking the OS build number after installing the July update. Here are the key thresholds:

Windows Version Required Update Fixed Build Number
Windows 11 24H2 KB5101650 26100.8875 or higher
Windows 11 25H2 KB5101650 26200.8875 or higher
Windows 10 21H2/22H2 KB5099539 19044.7548 / 19045.7548 or higher
Windows Server 2022 KB5099540 20348.5386 or higher
Windows 10 1607 / Server 2016 (Cumulative) 14393.9339 or higher
Windows 10 1809 / Server 2019 (Cumulative) 17763.9020 or higher
Server 2012 / 2012 R2 (ESU) (Cumulative) 9200.26226 / 9600.23291 or higher

Run winver or check “System > About” to see your current build. If it’s below the threshold, you are exposed.

Why ‘authorized attacker’ isn’t a free pass to delay

The requirement for low-level privileges can sound like a reason to de-prioritize, but that’s a mistake. A standard domain user account or a compromised service account is a common post-breach foothold. Once an attacker has that foothold, CVE-2026-56186 could become a tool for lateral movement, credential theft, or service disruption. In environments where segmentation is weak, an internal low-privilege account might be all an attacker needs to reach a vulnerable Schannel endpoint.

Moreover, the high availability impact in the CVSS score signals that the bug can potentially crash services, not just read memory. That could mean an attacker with limited access triggers an outage on a critical server. So even if the primary threat is information disclosure, the secondary effects warrant faster patching.

At the time of disclosure, there were no reports of active exploitation or public proof-of-concept code, according to both CISA’s SSVC assessment and the SANS Internet Storm Center. But that can change quickly, especially as more technical details emerge from reverse-engineering of the patches.

A patch with extra baggage

The July cumulative updates carry more than just this fix. Microsoft’s release notes also mention networking hardening for third-party Transport Driver Interface transports, Secure Boot certificate delivery updates, and changes to Remote Desktop publisher certificates. The Dell compatibility hold on KB5101650 for some Intel-based devices is a particularly noteworthy wrinkle. Dell reported that the update could cause shutdowns, performance degradation, increased heat, and battery drain on a limited number of models. Admins with affected hardware should follow Microsoft’s hold guidance and not force the update through workarounds.

For everyone else, this is a patch that should be deployed quickly—but not recklessly. Enterprises should use an expedited pilot ring that includes representative TLS-dependent workloads: web servers, application gateways, authentication proxies, and any service that terminates TLS traffic. Validate connectivity and service health before rolling out to broader production systems.

Your patching action plan

  1. Identify all Windows systems in your environment. Use inventory tools to flag those below the fixed build numbers listed above. Remember to include servers, virtual machines, and cloud instances.
  2. Apply the July cumulative update. For most, this means approving KB5101650 (Win11 24H2/25H2), KB5099539 (Win10), or the corresponding server update in WSUS, Intune, or your endpoint management platform.
  3. Verify after reboot. Confirm build numbers across a sample of devices. For critical servers, spot-check that TLS-dependent services (IIS, RDP, LDAPS, etc.) are operational.
  4. Address the Dell hold separately. If you have Dell systems with Intel processors, check manufacturer guidance. Do not bypass compatibility holds unless Dell confirms the issue is resolved in a newer driver or firmware.
  5. If you cannot patch immediately, restrict network access to vulnerable systems at the firewall level, enforce least privilege for all accounts, and monitor for anomalous TLS-related service failures. Disabling Schannel entirely is not a workaround—it will break most Windows functionality.

Home users and small businesses with automatic updates enabled will receive the patch via Windows Update. After installation, check your build number to be sure. The process is automatic, but a reboot is required.

What comes next

Microsoft typically releases additional details and proof-of-concept mitigations within days or weeks as researchers analyze the patches. Security teams should watch for new intelligence on exploitation vectors or post-patch workarounds. For now, the safest position is to treat this as a high-priority fix—the network attack surface is broad, the privilege bar is low, and the uncertainty around what data can be exposed should tilt the risk calculus toward faster action.

One more thing: after patching, stay alert for any unexpected application behavior related to TLS connections. The same out-of-bounds fix could surface latent interoperability issues. But given the alternative—a known vulnerability in the core encryption layer of your Windows fleet—the update is the clear choice.