Microsoft’s July 2026 security updates, released on July 14, close a local privilege-escalation vulnerability in Windows 11 and Windows Server 2025 that could allow an attacker with a foothold on a system to grab higher privileges. The fix, tracked as CVE-2026-49162, addresses a use-after-free memory bug in the Microsoft Brokering File System. Administrators should treat the patch as a priority on shared machines and servers that allow interactive logons, even though the flaw requires an attacker to already be running code on the target.
What changed with the July updates
The patch corrects a use-after-free condition inside the Microsoft Brokering File System. When software frees a block of memory but continues to reference it, an attacker who can control what replaces that memory may gain a path to corruption and, ultimately, execution with higher rights. Microsoft’s advisory describes the vulnerability as local: an attacker must already be authenticated and able to run code on the machine. The CVSS 3.1 base score is 7.0, and the weakness is classified as CWE-416.
Microsoft has published affected-version data for five products:
| Product | Affected Builds (before fix) | Fixed Build (or later) |
|---|---|---|
| Windows 11 version 24H2 (x64 & Arm64) | 26100.8874 and earlier | 26100.8875 |
| Windows 11 version 25H2 (x64 & Arm64) | 26200.8874 and earlier | 26200.8875 |
| Windows 11 version 26H1 (x64 & Arm64) | 28000.2268 and earlier | 28000.2269 (also addressed in KB5101649, build 28000.2525) |
| Windows Server 2025 | 26100.33157 and earlier | 26100.33158 |
| Windows Server 2025 (Server Core) | 26100.33157 and earlier | 26100.33158 |
For Windows 11 26H1, Microsoft’s update history shows KB5095051 (released June 9, 2026) already brought systems to build 28000.2269, which matches the listed threshold. However, the July 14 release, KB5101649, advances that branch to build 28000.2525, so any 26H1 machine with current updates is clearly patched. Administrators should verify the OS build number rather than relying on patch titles alone—a system that installed an update but is pending restart may still be exposed.
What the vulnerability means for your environment
The local-access requirement doesn’t make CVE-2026-49162 harmless. Privilege-escalation bugs are widely used in the real world after an attacker obtains a foothold through phishing, stolen credentials, or malicious software. Once a standard user account is compromised, a local escalation exploit moves the attacker closer to SYSTEM, letting them disable defenses, steal sensitive data, or persist across reboots.
Microsoft has not disclosed the exact privilege level an exploit would provide, but the advisory leaves no doubt that an attacker can “elevate privileges locally.” For a home user with a single account and automatic updates enabled, the risk is low. For businesses, the calculation changes sharply on shared workstations, jump servers, developer machines, and virtual desktop hosts—any endpoint where multiple users can run code or where interactive logons are allowed.
On Windows Server 2025, the risk is heightened when Remote Desktop Services are enabled or when frontline workers sign in directly. Even a restricted user who shouldn’t have administrative rights could use this flaw to bypass containment, making the patch critical for any server that permits user logons.
How we arrived at CVE-2026-49162
Microsoft disclosed the vulnerability during its regular Patch Tuesday cadence on July 14, 2026, confirming the flaw after internal research or external reporting. The advisory includes the boilerplate CVSS confidence text, which indicates the vulnerability is “confirmed” by the vendor—meaning technical details are reliable, though not necessarily public.
No proof-of-concept code or detailed technical write-up accompanied the initial disclosure. That silence is standard for freshly patched local bugs, giving organizations time to deploy before attackers reverse-engineer the fix. However, experience shows that motivated researchers can often reconstruct an exploit by comparing the patched and unpatched binaries. Past privilege-escalation vulnerabilities in Windows, such as those in the print spooler or kernel drivers, eventually saw public exploits even when initially undocumented.
CVE-2026-49162 is the latest in a long line of use-after-free flaws in Windows components. The Microsoft Brokering File System is a relatively modern subsystem that handles file synchronization across processes; memory bugs in such components can undermine the security boundaries that Windows relies on to separate user contexts.
Steps you should take right now
-
Deploy the July 2026 cumulative update. For Windows 11, this is the latest security update from Windows Update, WSUS, or Microsoft Update Catalog. For Windows Server 2025, apply the servicing stack update and the cumulative update together if you’re using offline methods. Reboot to complete the installation.
-
Verify the OS build number. Open a command prompt and run
winveror use PowerShell:(Get-CimInstance -ClassName Win32_OperatingSystem).BuildNumber. Compare the output with the fixed builds listed above. In an enterprise, use Microsoft Intune, Configuration Manager, or Windows Update for Business reports to confirm deployment across your fleet. -
Prioritize high-risk machines. Move shared workstations, Remote Desktop hosts, developer endpoints, and servers with interactive logons to the top of your patch test ring. These systems offer an attacker the easiest path from an initial compromise to privilege escalation.
-
Tighten interim defenses if you cannot patch immediately. While not a substitute for the update, consider these measures: remove unnecessary local user accounts, enforce application control (AppLocker or Windows Defender Application Control), block execution from user-writable directories where practical, and monitor for unexpected process chains using Sysmon or EDR. Restrict interactive logons to servers via Group Policy until patching is complete.
-
Watch for proof-of-concept releases. Subscribe to Microsoft’s security update RSS feed or your threat intelligence provider. Once exploit code appears, the window to patch shrinks dramatically. Even though CVE-2026-49162 is not actively exploited on disclosure day, the balance can tip quickly.
The fix does not require configuration changes or workarounds beyond installing the update. Microsoft has not published any mitigation that would avoid the patch, so installing the update is the only sure defense.
What to watch next
Microsoft’s next Patch Tuesday will land on August 11, 2026, and will likely include further fixes for Windows components that have received similar scrutiny. Keep an eye on the Microsoft Security Response Center’s blog for any late-breaking active-exploitation notices for CVE-2026-49162. If attackers chain this flaw with a remote code execution vulnerability in a popular application, the risk profile will spike. For now, the patch is your safest bet.