Microsoft released its monthly security round on July 14, 2026, fixing a high-severity remote code execution flaw in the Windows SMB server driver. Tracked as CVE-2026-57089, the vulnerability resides in srvnet.sys, a kernel-level component that handles SMB network transport. Attackers can exploit it over a network without authentication, but the exploit chain requires user interaction, making it a different beast from the self-spreading SMB worms of the past. Still, for any Windows device that accepts inbound SMB connections—file servers, domain controllers, Hyper-V hosts, or even a workstation with file sharing turned on—this is not a bug to sit on.

What just got patched?

CVE-2026-57089 is a use-after-free memory corruption bug in the SMB Server Network Transport Driver. An attacker who successfully manipulates memory could execute arbitrary code in the kernel, essentially taking over the target system. Microsoft’s CVSS 3.1 score of 7.5 (High) reflects the seriousness: an attacker doesn’t need prior access or credentials, and the attack vector is the network. The U.S. National Vulnerability Database classifies the weakness as CWE-416: Use After Free, aligning with Microsoft’s technical description.

The July cumulative updates for all supported Windows versions contain the fix. Below are the minimum build numbers after installing the updates—a quick way to validate that the patch is applied, especially in environments where update reporting lags.

Platform Fixed Build Update KB
Windows 11 24H2 & 25H2 26100.8875 / 26200.8870 KB5101650
Windows Server 2025 26100.33158 KB5099536
Windows Server 2022 20348.5386 KB5099540
Windows Server 2019 & Windows 10 LTSC 2019 17763.9020 KB5099538
Windows Server 2016 & Windows 10 LTSB 2016 14393.9339 KB5099535
Windows 10 21H2 & 22H2 19044.7548 / 19045.7548 KB5099539

Windows Server 2012 and 2012 R2 are also affected (builds 9200.26226 and 9600.23291, respectively) and receive fixes via their monthly security rollups. Server Core installations are equally vulnerable.

Who is at risk?

The vulnerable file, srvnet.sys, is the server-side SMB driver. If a Windows machine is listening on port 445, it’s acting as an SMB server—even if you never explicitly configured it that way. That means the usual suspects are obvious: file servers, application servers with administrative shares, domain controllers, Hyper-V hosts, and management jump boxes. But it also covers any Windows 10 or 11 PC that has file and printer sharing enabled, Remote Desktop allowing drive redirection, or third-party software that opens SMB shares for legitimate use. If another device on the network can reach that machine over SMB, the attack surface exists.

Enterprise admins should pay particular attention to servers that bridge network segments. A file server sitting between the production VLAN and a contractor network, for example, presents a richer target than an isolated test box in a lab. Workstations that browse shares from untrusted systems or that connect to adversary-controlled servers (perhaps via a malicious .lnk file in a shared folder) could end up providing the user interaction required for exploitation.

The unusual user interaction requirement

“Remote code execution over a network” conjures images of WannaCry and EternalBlue, where a single unpatched machine could infect an entire subnet without any user action. Microsoft’s advisory complicates that picture: CVSS vector assigns “User Interaction: Required.” In plain terms, the attacker cannot simply fire a packet at a server and gain code execution; some action by a target user—perhaps opening a file, browsing to a specially crafted share, or clicking a link—must occur. Microsoft hasn’t publicly detailed the exact interaction, which is typical as it allows defenders time to patch before attackers reverse-engineer the update.

The high attack complexity (CVSS AC:H) further raises the bar. This rating usually means that successful exploitation depends on conditions beyond the attacker’s control, such as a specific memory layout or timing. It’s not a “trivial to exploit” label, but it’s also not a guarantee of safety. CVSS scores reflect theoretical exploitability; in practice, determined adversaries may still chain this bug with other techniques to achieve reliable attacks.

As of July 15, 2026, no public exploits or proof-of-concept code are known. However, the absence of a public exploit statement does not mean one won’t appear after researchers dissect the patch. For a server-side SMB bug with code-execution potential, the prudent approach is to patch now, not wait for a working exploit to emerge.

How to protect your systems

For the vast majority of Windows users, the fix is straightforward: install the July 2026 cumulative update and reboot. The challenge lies in verifying that the patch has actually landed, especially across large estates. Relying on Windows Update’s “You’re up to date” message isn’t enough; check the build number or the installed update KB.

Step 1: Deploy the patch

Push the July cumulative update through your standard management channel—Windows Update for Business, WSUS, SCCM, or Intune. For offline servers or air-gapped environments, download the standalone packages from the Microsoft Update Catalog.

Step 2: Validate the build

Use the table above to confirm that each system has reached or exceeded the fixed build. In PowerShell, run:

(Get-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\").ReleaseId

and cross-reference with the update KB. For servers, this check should become part of your patch compliance auditing.

Step 3: Handle BitLocker warnings

Microsoft’s release notes for Server 2022 warn that systems with certain BitLocker Group Policy settings (those outside the recommended configuration) may require a recovery key after applying the July update. This is a deployment consideration, not a security vulnerability. Test the update on a representative server, ensure BitLocker recovery keys are accessible, and proceed.

Step 4: Reduce unnecessary SMB exposure

Patching closes the code flaw, but SMB remains a high-value target. Use this moment to harden your network:
- Block TCP port 445 at edge firewalls—SMB should never be exposed to the public internet.
- Use internal segmentation to limit SMB traffic between VLANs and subnets where file sharing isn’t needed.
- Configure Windows Defender Firewall on endpoints to deny inbound SMB from untrusted networks.
- Audit and remove shared folders that no longer serve a business purpose.
- For privileged accounts, minimize logon rights to critical servers over SMB, and monitor for unusual access patterns.

If disabling SMB entirely is an option for a particular server or workstation, the safest course is to turn off File and Printer Sharing and disable the Server service (LanmanServer). However, many environments depend on SMB for critical functions: Group Policy distribution, user logon scripts, cluster communication, Hyper-V live migration, and more. Broadly shutting down SMB can cause more outages than the vulnerability itself. Instead, couple patching with surgical exposure reduction.

How we got here

This isn’t Windows’ first rodeo with SMB driver flaws. The 2017 EternalBlue exploit (CVE-2017-0144) and subsequent WannaCry outbreak seared into administrators’ minds the damage a wormable SMBv1 bug can cause. Since then, Microsoft has repeatedly hardened SMB—deprecating SMBv1 by default, introducing SMB encryption, and rolling out features like SMB over QUIC. Yet the core transport driver, srvnet.sys, remains a persistent area of risk because it processes network I/O in kernel mode, leaving little room for sandboxing when a memory-corruption bug surfaces.

CVE-2026-57089 is located in that driver. Unlike the earlier nightmares, this vulnerability requires user interaction, which severely limits automated lateral movement. But history shows that attackers can be creative. A malicious insider or a compromised service account that mounts a carefully crafted share could trigger the condition. Or a user tricked into opening a file from an untrusted network location might provide the needed click. The threat landscape has evolved: low-click or even zero-click chains are the holy grail, but forced user interaction is still a viable piece of an attack chain.

Microsoft’s July 2026 patch cycle also includes a separate networking hardening change around third-party TDI transports that can affect applications using sockets over unregistered transports. This is unrelated to CVE-2026-57089 but may require compatibility testing, especially on systems that use legacy VPN or filtering drivers. Don’t confuse the two.

What to watch for next

The immediate step is to apply the July updates and validate the fix. After that, the security community will be watching for several signals:
- Will Microsoft revise the CVSS score down if exploit development proves too difficult, or up if a simpler attack vector emerges?
- Will a proof-of-concept surface on GitHub or exploit databases in the coming weeks?
- Will the National Vulnerability Database enrich the CVE entry with additional references or a higher severity after its own analysis?

For most organizations, the answer is not to wait. Patch now, shrink your SMB attack surface, and assume that a determined adversary will eventually figure out a way to trigger this bug. It’s not WannaCry, but a kernel-mode RCE in a universally available network service deserves your attention before it becomes someone else’s incident report.