{
"title": "How to Protect RRAS Servers from the Latest Windows Privilege Escalation Bug",
"content": "Microsoft’s July 14, 2026 security updates resolve a heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) that could let an authenticated attacker with local access elevate privileges to full system control. The vulnerability, tracked as CVE-2026-57096, has a CVSS 3.1 base score of 7.8 and is rated Important by Microsoft, with exploitation assessed as less likely. No public disclosure or active attacks have been reported, but the fix is bundled in this month’s cumulative updates for all supported Windows clients and servers.
Inside CVE-2026-57096: A Heap Overflow in Windows RRAS
Microsoft’s Security Update Guide describes the flaw as a heap-based buffer overflow (CWE-122) in the Routing and Remote Access Service. An attacker with authorized local access can trigger the overflow and escalate privileges, potentially gaining SYSTEM-level control. The attack vector is local (AV:L), requires low privileges (PR:L), no user interaction (UI:N), and has high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). That combination yields a CVSS score of 7.8, just below the Critical threshold, but still a priority for environments where RRAS runs.
The National Vulnerability Database has not yet completed its own enrichment but confirms Microsoft as the CVE source and the same CVSS vector.
Microsoft’s exploitability index indicates that exploitation is less likely. The company also notes that the vulnerability has not been publicly disclosed and is not known to be exploited as of July 15. While these are favorable signals, they are point-in-time assessments; the bar for local privilege escalation attacks is lower once a proof of concept emerges.
Who Is Affected and What’s the Real Risk?
The affected product list is extensive, spanning virtually all supported Windows editions:
- Windows 10 1607, 1809, 21H2, 22H2
- Windows 11 24H2, 25H2, and 26H1
- Windows Server 2012 R2, 2016, 2019, 2022, and 2025
- Server Core installations are also in scope; the absence of a desktop experience does not eliminate the vulnerable component.
The practical threat is not a remote takeover. An attacker must already have a foothold on the target machine — through stolen credentials, malware, or another initial access method — before exploiting this bug. But in the real world, privilege escalation is a critical link in the attack chain. A standard user or a compromised service account leveraging CVE-2026-57096 could gain full control, allowing the attacker to disable security tools, steal credentials, move laterally, or deploy ransomware. On an RRAS server, which typically sits at a network boundary and holds sensitive configuration like VPN keys and RADIUS integrations, the blast radius could be substantial.
What’s in the July 14 Patches
There is no standalone hotfix or workaround for CVE-2026-57096. The remediation is to install the July 14, 2026 security update for your Windows version. The updates are delivered through Windows Update, Windows Server Update Services (WSUS), Microsoft Configuration Manager, and the Microsoft Update Catalog.
The following table lists the key update packages and the build numbers they bring systems to after installation. Confirming the build number is the most reliable way to verify that the patch is applied.
| Product | KB Article | Build Number |
|---|---|---|
| Windows 10 21H2/22H2 | KB5099539 | 19044.7548 / 19045.7548 |
| Windows 10 1809 / Server 2019 | KB5099538 | 17763.9020 |
| Windows 10 1607 / Server 2016 | KB5099535 | 14393.9339 |
| Windows 11 24H2/25H2 | KB5101650 | 26100.8875 / 26200.8875 |
| Windows 11 26H1 | KB5101649 | 28000.2525 |
| Windows Server 2022 | KB5099540 | 20348.5386 |
| Windows Server 2025 | KB5099536 | 26100.33158 |
How We Got Here
Microsoft’s July 2026 Patch Tuesday release was unusually large, with BleepingComputer noting a total of 570 fixes across the product spectrum. CVE-2026-57096 is just one of them