Microsoft released a security update on July 14, 2026 that squashes a privilege-escalation vulnerability in Windows 11. The flaw, tracked as CVE-2026-50345, could allow an attacker with limited local access to seize complete control over a system—compromising confidentiality, integrity, and availability. The fix arrived via KB5101650 for Windows 11 versions 24H2 and 25H2, and administrators should deploy it promptly despite the high attack complexity.

The Patch and the Flaw

CVE-2026-50345 is an Important-rated elevation-of-privilege bug in the Windows Runtime. Microsoft’s advisory classifies it as a race condition (CWE-362) with a use-after-free element (CWE-416). In plain terms, the operating system failed to properly synchronize access to a shared resource when two or more operations ran concurrently. An attacker who could time the operations just right might manipulate memory after it had been freed, escalating privileges from a standard user account to SYSTEM.

The July 2026 cumulative update KB5101650 addresses the problem for Windows 11 24H2 and 25H2. Applying the update moves those versions to OS builds 26100.8875 and 26200.8875, respectively. Windows 11 26H1 received its protection earlier via KB5095051 (the June 2026 security release), which established build 28000.2269 as the baseline. Windows Server 2025, including its Server Core installation, requires its own servicing update to reach build 26100.33158.

This vulnerability was not publicly disclosed or seen in active attacks when the patches shipped, according to Microsoft and SANS Internet Storm Center. Despite the lack of known exploitation, the CVSS 3.1 base score sits at 7.0, with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The “AV:L” means local access is required; “AC:H” flags high attack complexity; and “PR:L” indicates that low-level privileges (a standard user account) are enough to launch the exploit.

Who Is Affected

The affected product set is narrower than you might think. Microsoft confirms the following Windows releases are vulnerable unless they meet the minimum build numbers:

Product Affected Builds Fixed Build Patch Source
Windows 11 24H2 (x64/Arm64) Below 26100.8875 26100.8875 KB5101650 (July 2026)
Windows 11 25H2 (x64/Arm64) Below 26200.8875 26200.8875 KB5101650 (July 2026)
Windows 11 26H1 (x64/Arm64) Below 28000.2269 28000.2269 KB5095051 (June 2026)
Windows Server 2025 (Server Core) Below 26100.33158 26100.33158 July 2026 security update

Windows 10 and earlier Windows 11 releases (21H2, 22H2, 23H2) are not listed. Unless Microsoft expands the advisory later, those systems are not directly exposed to this specific Runtime vulnerability.

Why This Matters Despite the Local Restriction

At first glance, “local access required” and “high attack complexity” might make CVE-2026-50345 sound like a lower priority. That would be a mistake. Privilege-escalation bugs are critical in multi-stage attacks. A phishing email might deliver a payload that runs with limited user rights; a malicious document could exploit a separate bug to gain code execution inside a sandbox; or a compromised credential might allow a remote desktop session as an ordinary user. All of these scenarios provide the local foothold CVE-2026-50345 needs.

Once an attacker has that foothold, successfully exploiting this race condition would grant them full SYSTEM-level access. They could steal sensitive data, install persistent malware, disable security tools, or move laterally across the network. The high attack complexity reflects the difficulty of crafting a reliable exploit, not the scale of the damage. Race conditions often require many attempts and precise timing, but once a proof-of-concept is weaponized, it becomes a point-and-click tool for less skilled attackers.

How We Got Here

Microsoft’s July 2026 Patch Tuesday addressed a range of vulnerabilities, and CVE-2026-50345 is part of a long lineage of Windows Runtime privilege escalations. The Windows Runtime is a fundamental component that underpins many modern apps and system services. Race conditions in the kernel or critical subsystems have historically been a favored target for researchers because they often bypass code-integrity checks and can be chained with sandbox escapes.

Although Microsoft has not disclosed the specific service or API call that triggers the flaw, the combination of a race condition and use-after-free points to a concurrency bug in memory management. Such bugs are notoriously difficult to find and fix, but they can persist for years. The fact that the flaw appears only in current Windows 11 and Server 2025 builds suggests it may have been introduced during development of the 24H2-era codebase or later.

What You Should Do Right Now

For Home Users

Open Settings > Windows Update and install all available updates. After the installation, restart your PC and check your OS build by typing winver in the Start menu. If you’re on Windows 11 24H2, you should see 26100.8875 or higher. For 25H2, look for 26200.8875. Home users on 26H1 should already be at 28000.2269 if they installed the June cumulative update.

For IT Administrators

Deploy KB5101650 through your standard update management system. For Windows 11 24H2 and 25H2, this single cumulative update addresses CVE-2026-50345 and other July fixes. Confirm the build numbers on a sample of endpoints after deployment. Do not rely solely on the update installation status—some management tools report “installed” even if a component didn’t update correctly. Use PowerShell:

Get-ComputerInfo -Property WindowsVersion, OsBuildNumber

For Windows 11 26H1 machines, verify they have KB5095051 (build 28000.2269 or above). If they missed the June update, applying the July cumulative will bring them current and close this vulnerability.

Windows Server 2025 systems require extra attention. The server build numbering differs from client Windows, so check that you’ve reached at least 26100.33158. Server Core installations are equally affected—stripping the GUI doesn’t reduce exposure.

Prioritization Guidance

Prioritize workstations, developer VMs, jump hosts, and any server that permits interactive logins. While an attacker needs local access, these machines are far more likely to run user code from web browsers, documents, or third-party applications—creating the initial low-privilege execution vector this vulnerability exploits. Highly secure, headless servers with no regular user sessions are lower risk, but they should still be patched in the normal cycle.

Microsoft has not released any workarounds or mitigations for CVE-2026-50345. There is no registry key to set, no feature to disable, and no specific behavioral indicator to hunt. The only corrective action is the update.

The Bigger Picture

CVE-2026-50345 is a reminder that local privilege escalation remains a key adversary technique. Even when remote code execution is blocked or requires authentication, a simple user account can be enough to break out and take control. Microsoft’s sparse advisory—lacking a named component or PoC details—means defenders have less intelligence to hunt for exploitation attempts. However, that also means attackers would need to reverse-engineer the patch to create an exploit, buying time for organizations to deploy the fix.

Looking ahead, watch for any updates to Microsoft’s advisory. If the vulnerability is later found to be exploited in the wild, Microsoft may raise the severity or release additional guidance. Also, keep an eye on future Patch Tuesdays: race conditions in the Windows Runtime may signal a broader class of issues that researchers begin to scrutinize more closely. For now, updating to the July 2026 builds is the single most effective step you can take.