Microsoft's July 14, 2026 Patch Tuesday release includes a fix for a Windows kernel vulnerability that could allow an attacker with a basic foothold on your PC to peek at sensitive data. The bug, tracked as CVE-2026-50377, is an out-of-bounds read in the Windows Kernel that received a CVSS score of 5.5 (Medium) and an Important rating from Microsoft. Though no active exploits have been spotted, leaving this hole open is an invitation to data theft.

A kernel read gone wrong

CVE-2026-50377 is a classic memory-safety error—specifically, an out-of-bounds read (CWE-125). When the Windows Kernel accesses a memory buffer, it can inadvertently step past the intended boundary and read adjacent data that should be off-limits. Microsoft's CVSS vector tells the story: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Translation? A local attacker with low privileges can exploit this bug with low complexity, no user interaction, and a high chance of stealing confidential information. No system crashes, no remote code execution—just a quiet, unauthorized peek at kernel memory.

The fix is baked into the July 2026 cumulative updates for every affected Windows branch. Here's a quick reference table of the build numbers you need to be protected:

Windows Version KB Article Post-Update Build
Windows 10 1607 / Server 2016 KB5099535 14393.9339
Windows 10 1809 / Server 2019 KB5099538 17763.9020
Windows 10 21H2 / 22H2 KB5099539 19044.7548 / 19045.7548
Windows 11 24H2 / 25H2 KB5101650 26100.8875 / 26200.8875
Windows 11 26H1 KB5101649 28000.2525

These builds cover all supported architectures—x64, Arm64, and even 32-bit where applicable—including Server Core installations. Because the fix arrives via the regular cumulative update, there's no separate hotfix to hunt down. If you're at or above the corrected build for your branch, you're safe. If not, you're vulnerable.

Who's really at risk?

For home users, the threat is modest. An attacker first needs to run code on your PC with at least standard user permissions—think a malware-infected download, a malicious script in an email, or a compromised freeware application. If you practice basic digital hygiene, avoid sketchy executables, and let Windows Update do its thing automatically, the risk is low. But that doesn't mean you should hit snooze on the patch. The easiest way to shut this door is to install the update.

For IT administrators, the calculus changes. Any machine where low-privileged code can land becomes a potential springboard. Shared servers, Remote Desktop Session Hosts, virtual desktop infrastructure, build agents, and developer workstations are prime targets. An attacker who grabs a foothold could use this kernel read to steal credentials, encryption keys, or memory layout details that aid in a wider attack chain. Even if CVE-2026-50377 alone doesn't grant SYSTEM access, chaining it with another flaw could. Treat your patch priority based on user exposure, not just the CVSS number.

One practical wrinkle: KB5101650, the update for Windows 11 24H2 and 25H2, is currently blocked on a limited set of Dell devices with Intel processors. Microsoft has withheld it after Dell reported shutdown, performance, heat, and battery problems. If you manage affected Dell hardware, do not bypass the safeguard just to check a CVE box—keep monitoring Microsoft and Dell advisories for a revised fix.

How we got here

Out-of-bounds reads have plagued operating systems for as long as there have been kernels. Researchers (or possibly an anonymous reporter—Microsoft hasn't publicly credited a finder) discovered this particular flaw and the MSRC engineered a patch, rolling it into the July 2026 Patch Tuesday bundle. The CVE was publicly disclosed on July 14, with Microsoft assessing no evidence of active exploitation. CISA's Stakeholder-Specific Vulnerability Categorization concurs: no observed attacks and low automitability.

The CVSS 5.5 score often leads some admins to postpone patching, especially when stacked against critical remote code execution bugs. But that Medium rating reflects the local-access prerequisite, not the potential blast radius. Microsoft's own Important severity—one step below Critical—signals that the data exposure is serious enough to warrant prompt attention. And with the NVD still enriching its entry after publication, the current score may not yet capture all dimensions of the flaw.

What to do now

For everyone: Check your build number right now. Hit Win+R, type winver, and compare the displayed build against the table above. If it's lower, head to Settings > Windows Update and install the latest cumulative package. For most home PCs, this is a few clicks and a restart.

For businesses: Inventory your devices with endpoint management tools or PowerShell:

Get-CimInstance -ClassName Win32_OperatingSystem | Select-Object BuildNumber, Caption

Compare the results to the corrected builds. Prioritize patching on interactive servers, developer machines, and any system running third-party software that could be a foothold. If you're on Windows 10 22H2, remember mainstream support ended in October 2025—you need Extended Security Updates (ESU) to receive KB5099539. LTSC and IoT Enterprise editions have their own timelines.

Verify that your vulnerability scanner is checking the full build number, not just a generic "Windows Kernel" banner that might misreport status. Scanners that only look for a KB article without confirming the build revision can generate false positives.

If you're blocked by the Dell safeguard, mitigate with existing controls: enforce application whitelisting, remove unnecessary local admin rights, monitor for unusual process behavior, and keep endpoint detection active. The kernel fix will arrive once Microsoft and Dell iron out the hardware incompatibility.

Outlook

With no in-the-wild exploits, CVE-2026-50377 isn't a drop-everything fire drill. But kernel vulnerabilities have a long tail—once a patch is reverse-engineered, an exploit often follows. The next Patch Tuesday falls on August 11, 2026. Between now and then, watch for any updates to this CVE. If proof-of-concept code surfaces, the urgency will spike. In the meantime, a simple cumulative update keeps your data from becoming an open book.