Microsoft's July 2026 Patch Tuesday quieted a high-severity elevation-of-privilege bug that could let a local attacker seize full control of an unpatched Windows 11 or Windows Server 2025 machine. The fix, delivered through cumulative updates KB5101650 and KB5099536, is straightforward—unless the target is a Dell PC with an Intel processor. A safeguard hold is keeping the patch off those systems, creating a security gap that administrators must manage manually.

What the patch corrects

The vulnerability, tracked as CVE-2026-50361, lives inside the Microsoft Brokering File System. It stems from a double-free memory error compounded by a race condition, according to Microsoft's Security Update Guide. A local already-authenticated attacker with low privileges can exploit the flaw without any interaction from a victim—no phishing lure or document trickery needed. The CVSS 3.1 score of 7.8 reflects high impact on confidentiality, integrity, and availability, even though the attack cannot be launched over a network.

The July 14 cumulative updates seal the hole on most affected editions. Specifically:

  • Windows 11 24H2 (x64 and Arm64) reaches fixed build 26100.8875 via KB5101650.
  • Windows 11 25H2 (x64 and Arm64) reaches fixed build 26200.8875 via the same KB5101650.
  • Windows Server 2025 (Desktop Experience and Server Core) advances to build 26100.33158 through KB5099536.
  • Windows 11 26H1 devices, interestingly, already received the correction in June's KB5095051 (build 28000.2269), even though CVE-2026-50361 wasn't publicly disclosed until July. Microsoft's advisory lists that build as the fix boundary, meaning any 26H1 system current on June patches is already protected.

This isn't a sprawling, wormable crisis. But within enterprise environments where a compromised standard user account can be a stepping stone to domain-wide disaster, the flaw is exactly the sort of privilege escalator that advanced attackers keep bookmarked.

The Dell complication

Here's the catch: KB5101650 isn't landing on a subset of Dell PCs fitted with Intel CPUs. Microsoft and Dell jointly imposed a safeguard hold after reports that the update could trigger unexpected shutdowns, performance degradation, excess heat, and battery drain. The hold applies automatically; those machines simply won't see the patch in Windows Update, regardless of their update settings.

For home users with an affected Dell, that means the operating system may report \"up to date\" while still vulnerable. There's no manual override recommended—bypassing the hold risks hardware-level instability. For IT teams, this is a compliance headache. A device blocked from KB5101650 may be stuck on a build below the CVE-2026-50361 fix threshold, and standard patching reports might not flag it because the update isn't even offered.

Microsoft hasn't published a full list of affected Dell models, only noting that the incompatibility involves \"a limited number of Dell PCs with Intel processors.\" Dell owners can check support.dell.com or their system's model number against any forthcoming advisories from Dell.

How we got here

Memory-corruption flaws in kernel-adjacent components are an eternal Patch Tuesday fixture. Double-free vulnerabilities occur when a program releases the same memory allocation more than once. That can corrupt internal memory structures, which a skilled exploit developer may leverage to execute code at a higher privilege level. The Brokering File System's role in mediating file operations across security boundaries made this instance particularly dangerous—an attacker who achieves elevation there can potentially disable antivirus, extract credentials, or install persistent malware.

Microsoft's disclosure timeline shows that the vulnerability wasn't publicly known before the patch, and no active exploitation has been detected. CISA's initial assessment rated the technical impact as \"total\" but judged automated exploitation unlikely. That keeps it below the emergency level of an in-the-wild zero-day, but patch publication immediately shifts the risk equation. Attackers can now analyze the fixed binaries to locate the vulnerable code path, making delayed patching a gamble.

What you should do now

For home users: Check your Windows build number by running winver. If you're on Windows 11 24H2 and your build is below 26100.8875, or on 25H2 below 26200.8875, you should see KB5101650 in Windows Update. If it's missing and you're on a Dell system, sit tight—do not attempt to force the update by deleting the safeguard registry key. Instead, practice basic security hygiene: avoid running untrusted programs, use a standard (non-admin) account for daily work, and keep your browser and other software up to date. For non-Dell machines, install the update as usual.

For IT administrators: Pull a current build inventory from Intune, Configuration Manager, or your RMM tool. Filter for devices on the affected Windows 11 editions (24H2, 25H2, 26H1) and Server 2025. For 26H1, flag any machine below build 28000.2269 as overdue for June's KB5095051. For 24H2/25H2, identify those stuck below the July fix builds. On Dell hardware, monitor Microsoft's release health dashboard and Dell's support channels for a revised update; until then, enforce controls that reduce local code-execution opportunities—application whitelisting, constrained user permissions, and disabling unnecessary local services.

For Windows Server 2025, note that Server Core installations are equally affected. KB5099536 can require a restart; plan maintenance windows accordingly. The server update is also a baseline for future hotpatches, so falling behind introduces broader servicing complications.

For Dell system owners in enterprises: Tag the blocked devices in your asset management system. Apply extra monitoring to those endpoints for unusual process elevation attempts. Consider temporarily reducing the number of users with local logon rights or interactive access to those machines until the hardware incompatibility is resolved.

Outlook

This episode highlights the messy intersection of security patching and hardware compatibility. Safeguard holds are a necessary evil—they prevent update-related blue screens and data loss—but they also carve out a protected window for exploitation on a known vulnerability class. Microsoft and Dell will likely ship a revised patch, perhaps via a separate update or a fix from Dell's firmware, but no timeline has been given. Until then, defenders must fill the gap with operational controls. The underlying lesson is timeless: patch verification must go beyond trusting that Windows Update ran; always validate build numbers, and treat every listed fix boundary as a compliance checkpoint.