Microsoft’s July 2026 security updates, released on July 14, close a privilege escalation vulnerability in Windows WebView that could let an attacker with local access take complete control of a system. The flaw, CVE-2026-56173, carries a CVSS 3.1 base score of 7.0 and spans a wide swath of supported Windows releases, from Windows 10 version 1809 to Windows 11 26H1 and multiple server editions. While no active attacks have been reported, the bug’s root cause—a use-after-free memory error in a component woven throughout the operating system—makes it a priority for patching, especially on machines shared by multiple users.
What You Need to Know About the Flaw
CVE-2026-56173 exists in Windows WebView, the technology that lets applications and OS interfaces display web content natively. Microsoft describes it as a use-after-free vulnerability. In such a defect, the software continues to reference a block of memory that has already been released. An attacker who can trigger the condition and control what data fills that freed memory could manipulate execution flow, potentially gaining higher privileges.
The official CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The string breaks down like this: exploitation requires local access (AV:L) and an existing low-privileged account (PR:L), but no user interaction (UI:N). Attack complexity is rated high (AC:H), which means success depends on precise memory grooming or timing, not just running a script. Should those hurdles be cleared, the impact is severe: full compromise of confidentiality, integrity, and availability (C:H/I:H/A:H).
In practice, an attacker who has already gained a limited foothold—through phishing, a compromised application, or a malicious insider—could use this vulnerability to elevate their access. From there, they could steal sensitive data, disable defenses, or install persistent backdoors. The high complexity rating tempers the urgency slightly, but it doesn’t eliminate the risk, particularly on endpoints that host user sessions from different trust levels.
Which Versions Are Affected—and Fixed
The vulnerable builds are listed by Microsoft and republished in the National Vulnerability Database. Here’s a breakdown of what’s impacted and the July 2026 cumulative update that corrects each one:
| Windows Version | Vulnerable Builds (Earlier Than) | Fixing Update (KB) | Patched Build |
|---|---|---|---|
| Windows 10 1809 / Server 2019 | 17763.9020 | KB5099538 | 17763.9020 |
| Windows 10 21H2 | 19044.7548 | KB5099539 | 19044.7548 |
| Windows 10 22H2 | 19045.7548 | KB5099539 | 19045.7548 |
| Windows 11 23H2 | 22631.7376 | KB5099414 | 22631.7376 |
| Windows 11 24H2 | 26100.8875 | KB5101650 | 26100.8875 |
| Windows 11 25H2 | 26200.8875 | KB5101650 | 26200.8875 |
| Windows 11 26H1 | Within affected range | KB5101649 | 28000.2525 |
Both x64 and Arm64 editions are affected for the Windows 11 releases listed; Windows 10 also includes 32-bit systems. The wide coverage signals that the vulnerable WebView code is part of the core Windows servicing stack, not an isolated optional component. Installing the correct July cumulative update moves a device to the patched build column.
Why This Isn’t Just a Browser Bug
Windows WebView underpins far more than Edge. Many built-in experiences—authentication dialogs, help panes, setup screens, and hybrid applications—rely on it to render web-based content. You don’t need to launch a browser to interact with WebView; the technology is embedded into the graphical shell and countless third-party apps. That means blocking the Microsoft Edge browser process or setting a different default browser does nothing to remove the vulnerable component. Attack surfaces that are invisible to the user but constantly present—that’s what makes a WebView privilege escalation bug more troubling than a typical browser vulnerability. Microsoft hasn’t specified a particular application workflow that triggers the flaw, so assuming the threat is confined to web browsing would be a mistake.
This also clarifies why the fix comes through a full Windows cumulative update rather than a standalone Edge or WebView2 Runtime patch. The vulnerable code lives in the operating system’s shared libraries. Even if you update the Edge WebView2 Runtime separately (which is serviced outside of Patch Tuesday), the OS-level component remains unchanged. Only the appropriate cumulative update fully addresses CVE-2026-56173.
The Connection Between Confidence and Risk
The Microsoft Security Response Center marks the vulnerability report confidence as “Confirmed.” That descriptor measures how certain Microsoft is that the bug exists and that the technical account is credible. It does not mean attackers are already exploiting the flaw. As of July 15, there’s no public exploit code, no step-by-step attack scenario, and the NVD entry is still “Awaiting Enrichment.”
Administrators should read “confirmed” as a signal to act, not to panic. It puts CVE-2026-56173 in a tier below actively exploited zero-days and remotely reachable vulnerabilities that need immediate out-of-band patches. But the combination of a clear memory corruption bug, a privilege boundary crossing, and broad base of affected systems still argues for prompt deployment. In environments where untrusted users share workstations or remote desktop hosts, the calculus shifts from “patch soon” to “patch now.”
Patching and Verification: A Step-by-Step Guide
For enterprise environments, the fix arrives through the regular July cumulative update stream. No standalone package is needed. Still, pushing the update button is only half the job. Because the vulnerability is patched only when the OS build reaches a specific number, IT teams must verify the post-install build—not just that the KB is listed as “installed.”
Here’s a practical workflow:
- Deploy the appropriate update via Windows Update, Windows Update for Business, Microsoft Intune, Configuration Manager, or your patch management tool.
- Require a restart—the update can’t complete without one. Pending reboots are a common reason builds stick at pre-patch levels.
- Check the OS build using one of these methods:
- Runwinverfrom the Start menu.
- Use PowerShell:Get-ComputerInfo | Select-Object OsVersion, OsBuildNumber
- For remote inventories, queryOsBuildNumbervia WMI or your RMM. - Compare the reported build against the fixed build in the table above. If it’s lower, the patch may have failed or rolled back.
- Investigate discrepancies—machines that report the KB as approved but remain on an old build could indicate a blocked installation or a scripted approval that never actually triggered the deployment.
For home users and unmanaged devices, the process is simpler:
- Open Windows Update, check for updates, and install everything offered.
- After restarting, verify your Windows version by typing “About your PC” in the Start menu. The “OS build” line should match the patched number for your edition.
Shared systems deserve extra scrutiny. Remote Desktop Session Hosts, jump servers, developer workstations, kiosks that allow code execution, and VDI environments all give attackers with limited accounts a chance to run local code. Prioritize those machines in your patch schedule.
What Comes Next
CVE-2026-56173 is unusual for its reach across so many Windows generations, a reminder that legacy components like WebView can carry risks hidden in plain sight. Microsoft’s advisory doesn’t indicate that a public proof of concept is imminent, but the nature of use-after-free bugs often attracts research. Security teams should watch for updated CVSS scores or exploitation activity notes on the MSRC guide and NVD page. For now, the single most effective measure is completing the July update cycle and confirming every affected device posts a secure build. That’s the difference between a patched paper trail and a genuinely hardened system.