Microsoft shipped security updates on July 14, 2026 that close a critical gap in the Windows kernel. The flaw, cataloged as CVE-2026-50673, lets any locally authenticated attacker—someone with even limited account privileges—turn that foothold into full SYSTEM control of the machine. With a CVSS score of 7.8 and an Important severity rating from Microsoft, the bug affects virtually every supported Windows version from Windows 10 1607 through the latest Windows 11 26H1, plus a long list of Windows Server releases.
What Microsoft fixed in the July 2026 patches
CVE-2026-50673 is a classic time‑of‑check‑to‑time‑of‑use (TOCTOU) race condition that results in a NULL pointer dereference inside the Windows kernel. Microsoft’s Security Update Guide maps the weakness to two Common Weakness Enumerations: CWE‑367 for the race condition and CWE‑476 for the NULL pointer. The combination means an attacker can manipulate the kernel into referencing an invalid memory location at just the right moment, which leads to privilege elevation.
The National Vulnerability Database assigned the flaw a CVSS 3.1 score of 7.8 (High). The attack vector is local, so an unauthenticated remote attacker cannot trigger it directly. However, the exploit requires only low privileges and no user interaction—once an adversary gets code running on a PC (via a separate vulnerability, credential theft, or malicious download), CVE‑2026‑50673 can strip away all remaining security boundaries. The CVSS scope is marked as “changed,” meaning a successful exploit can reach resources beyond the initial security authority; in practice, it can hand the attacker SYSTEM access, letting them install programs, view or change data, and create new accounts with full rights.
Microsoft classifies the patch as “Important”—one notch below “Critical”—because the vulnerability doesn’t allow remote code execution on its own. Still, the company’s advisory acknowledges that confidentiality, integrity, and availability are all at high risk if the flaw is exploited.
The affected product list is extraordinarily broad because the bug lives in a core kernel component. Every supported Windows release that receives security servicing is in scope:
- Windows 10 versions 1607, 1809, 21H2, and 22H2
- Windows 11 versions 24H2, 25H2, and 26H1 (both x64 and Arm64)
- Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025—including Server Core installations for each.
Microsoft’s guidance ties the fix to specific build numbers. Checking “I ran Windows Update” isn’t enough—an update might be downloaded but not yet installed, deferred by policy, or awaiting a restart. Here are the corrected build thresholds for the most‑used editions:
| Windows edition | Fixed build |
|---|---|
| Windows 11 24H2 | 26100.8875 |
| Windows 11 25H2 | 26200.8875 |
| Windows 11 26H1 | 28000.2525 |
| Windows 10 22H2 | 19045.7548 |
| Windows 10 21H2 | 19044.7548 |
| Windows Server 2025 | 26100.33158 |
| Windows Server 2022 | 20348.5386 |
| Windows Server 2019 | 17763.9020 |
| Windows Server 2016 | 14393.9339 |
For Windows Server 2012 and 2012 R2, the fix arrives through the Extended Security Updates channel as a July 2026 security‑only or monthly rollup package—verify the specific KB article for those platforms.
What this means for you
Home users
If your Windows 10 or Windows 11 PC automatically downloads and installs cumulative updates, you’re likely already patched—provided you’ve completed the required restart. Open Settings > System > About (or type winver in the Start menu) and compare your OS build number to the table above. If it’s equal to or higher than the listed build, you’re protected. Because the vulnerability cannot be exploited remotely, there’s no need to change firewall rules or disable network services; simply applying the July cumulative update and rebooting neutralises the risk.
IT administrators and enterprise security teams
The real urgency sits here. CVE‑2026‑50673 matters most on systems where semi‑trusted or untrusted users can launch code: virtual desktop infrastructure, Remote Desktop Session Hosts, shared workstations, build agents, student labs, and servers that host third‑party applications or multiple tenants. In those environments, a low‑privilege compromise can quickly escalate into a full domain breach when a kernel privilege‑escalation primitive is available.
Even though the flaw carries a high attack‑complexity rating—attackers must win a race condition that depends on processor scheduling, memory layout, and system load—don’t let that complexity breed complacency. Kernel privilege‑escalation bugs are invaluable in real‑world attack chains, and researchers almost always refine early exploitation techniques over time. A proof‑of‑concept that is unreliable today could be weaponised within weeks. Microsoft reports no known exploitation at the time of disclosure, and the Zero Day Initiative confirms the vulnerability was neither publicly disclosed nor exploited when the patch shipped. But the safest course is to treat CVE‑2026‑50673 as a “patch now” item for any machine that an attacker might access locally.
Prioritise deployment to:
- Remote Desktop servers and jump hosts
- Multi‑user terminal servers
- Development machines that download and run less‑vetted code
- Any server where a compromised standard user account could pivot deeper
Developers and power users
The same local‑access constraint applies. While most developers run with elevated privileges anyway, build pipelines or test environments that rely on isolated accounts could be undermined if the kernel is compromised. Make sure your lab VMs and development boxes pull the July update and the host OS’s build matches the corrected version.
How we got here: a race deep inside the kernel
Time‑of‑check‑to‑time‑of‑use bugs are a recurring class of vulnerability in operating‑system kernels. The kernel must constantly validate that an object (such as a file handle or memory address) is in a safe state before allowing a caller to use it. If an attacker can slip in and change that object’s state between the validation and the use, the kernel may follow a stale pointer and crash—or, worse, be tricked into executing attacker‑controlled code with its own privileges.
Microsoft patched several similar race conditions in recent years, including CVE‑2022‑24521 and CVE‑2023‑21674, both of which were also kernel‑mode elevation flaws. CVE‑2026‑50673 follows the same blueprint. The NULL pointer dereference indicates that the kernel tries to read from an invalid memory address, a situation that can be steered into a controlled write or code execution with careful heap grooming.
The July 14 release arrived on a standard Patch Tuesday and encompassed dozens of fixes for Windows, Office, and other Microsoft products. Because CVE‑2026‑50673 affects a foundational component, its patch footprint stretches from client operating systems to data‑center servers—and even to Windows Server 2012, which requires an active Extended Security Update licence to receive the fix. This illustrates how long‑lived kernel code can carry vulnerabilities that span more than a decade of Windows releases.
Microsoft’s advisory provides high confidence that the vulnerability exists, but the company has not published a detailed attack sequence or proof‑of‑concept code. That’s standard practice to delay exploitation while customers apply the update.
What to do now: verify and deploy
- Check your build number – On any device you manage or use, run
winver, check System Information, or query the OS build via PowerShell (Get-ComputerInfo -Property OsBuildNumber). Compare it to the table above. A build number below the threshold means the July cumulative update is missing or incomplete. - Force the update if needed – In Windows Update, click “Check for updates” and install all pending cumulative updates. Many enterprise environments use Windows Update for Business, Microsoft Intune, or WSUS; ensure your deployment rings approve the July 2026 security update without excessive delay.
- Confirm no pending reboot – Some updates won’t finalise until the machine restarts. After installation, verify the build number again.
- Prioritise high‑exposure machines – Focus first on systems where untrusted users can execute code. In your vulnerability‑management platform, filter assets that haven’t reached the corrected build and tag them for emergency remediation.
- Monitor for post‑patch stability – Though the July 2026 cumulative update has shown no widespread issues at the time of writing, always test on a representative subset of devices before broad rollout, especially on domain controllers and Hyper‑V hosts.
- Watch for supplemental guidance – Microsoft sometimes publishes standalone security advisories or mitigation tools. No workaround exists for CVE‑2026‑50673; the only action is to install the update. If your organisation cannot patch immediately, limit local access to the strictest degree possible and audit interactive logons.
Home users who rely on Automatic Updates can typically rest easy as long as the system shows the updated build number. There is no need to download a separate tool or disable any services.
Outlook: what to watch next
No threat activity has been observed so far, but that can change. CISA’s catalog of Known Exploited Vulnerabilities does not yet list CVE‑2026‑50673; if it appears there, that will signal active exploitation and may require a far faster patch cadence for federal agencies and their contractors. Independent researchers will almost certainly reverse‑engineer the July patch to understand the exact trigger, so proof‑of‑concept code—initially unreliable but improving over time—is likely to surface within the next few weeks.
IT teams should keep an eye on Microsoft’s Security Update Guide and the CVE details page for any updates to the disclosure. Meanwhile, verifying that every Windows endpoint has reached its July 2026 build remains the simplest defence against a vulnerability that could turn a minor compromise into a full‑blown system takeover.