Microsoft's July 14, 2026 security updates patch a local privilege escalation vulnerability in Windows kernel-mode drivers that could let an attacker gain SYSTEM control on Windows 11 and Server 2025 machines. The flaw, tracked as CVE-2026-50396, stems from a use-after-free memory bug and carries a CVSS 3.1 base score of 7.0, placing it in the Important category. Administrators and home users alike need to confirm their systems have reached the specific patched builds — not just that they’ve run Windows Update.

The Flaw: Use-After-Free in Kernel Drivers

CVE-2026-50396 is a use-after-free vulnerability (CWE-416) in Windows kernel-mode drivers. The class of bug occurs when software continues to reference memory that has already been freed, potentially allowing an attacker to place malicious data there before the dangling pointer is used again. Because the affected code runs in kernel mode, a successful exploit crosses the most critical security boundary in Windows, giving an attacker the highest level of privilege.

Microsoft’s CVSS vector describes the attack as local, meaning an adversary must already have a foothold on the system with low-level privileges. No user interaction is needed, but exploitation carries high attack complexity. In practice, this vulnerability is most dangerous as a second-stage payload: an attacker first gains code execution through phishing, a compromised app, or stolen credentials, then leverages the kernel flaw to break out of a restricted account.

A successful escalation to SYSTEM can be devastating. It enables tampering with security software, dumping credentials of other users, installing rootkits, or modifying protected files and services. For shared endpoints, administrator workstations, and servers, the impact can cascade quickly.

Who’s Affected and How to Check Your Build

The vulnerability affects a narrow slice of recent Windows releases: Windows 11 versions 24H2, 25H2, and 26H1, plus Windows Server 2025 (including Server Core installations). Older releases such as Windows 10 and Server 2019 are not listed, though Microsoft could revise the advisory. Both x64 and Arm64 editions of Windows 11 are susceptible.

Patching is not just about installing an update — it’s about reaching a specific build number. Here are the thresholds:

Windows Version KB Number Patched Build
Windows 11 24H2 KB5101650 26100.8875 or later
Windows 11 25H2 KB5101650 26200.8875 or later
Windows 11 26H1 KB5101649 Builds 28000.2269+ are fixed; KB5101649 brings to 28000.2525
Windows Server 2025 KB5099536 26100.33158 or later

For most users, the July 2026 cumulative update delivered through Windows Update will install the correct KB. To verify, open Settings > System > About and look for the OS build number, or run winver. If the build is at or above the number above, you’re protected.

Understanding the CVSS Rating and What 'Confirmed' Really Means

The advisory lists a “Confirmed” report confidence in the CVSS 3.1 vector, which can sound alarming. In the CVSS framework, “Confirmed” means credible technical evidence exists for the vulnerability — for example, through vendor acknowledgement, reproducible tests, or source code analysis. It does not mean Microsoft has observed active attacks.

Microsoft has not publicly disclosed any in-the-wild exploitation of CVE-2026-50396. The high attack complexity and local vector mean it is not a turnkey remote exploit. However, history shows kernel privilege-escalation bugs gain value in post-compromise toolkits, and exploit reliability can improve once patches are reverse-engineered. As such, organizations should treat this as a priority for their usual patching cadence rather than an emergency out-of-band fix.

Beyond the Patch: The TDI Driver Registration Change

The July updates include a non-security change that may trip up some environments: Microsoft now enforces registration requirements for third-party Transport Driver Interface (TDI) transports. Starting with these patches, sockets using unregistered third-party TDI drivers may fail. This primarily affects legacy networking, filtering, VPN, or monitoring software.

IT administrators should include this compatibility change in their pre-deployment testing. If your organization relies on older drivers that hook into the TDI layer, you’ll need to verify compatibility with the July cumulative update before rolling it out fleet-wide. This is not a workaround for the vulnerability — it’s a parallel change that could cause operational issues if ignored.

What Home Users and IT Admins Should Do Right Now

For home users and individual PC owners:

  • Check that Windows Update has automatically installed the July 2026 cumulative patch. If not, manually check for updates and install.
  • Confirm the build number matches the table above. If you’re on an older build, run winver to see your current version; if it’s below the patched build, consider updating immediately.
  • No additional actions are required. Microsoft hasn’t published any specific configurations to mitigate the flaw, so the update is the only fix.

For enterprise admins and IT teams:

  • Identify affected endpoints via asset management or reporting tools. Look for Windows 11 versions 24H2, 25H2, 26H1 and Windows Server 2025 with builds lower than the thresholds.
  • Stage the July cumulative updates (KB5101650, KB5101649, KB5099536) in a pilot group first, watching for TDI-related failures and any other regressions.
  • Once validated, deploy broadly using your patch management system (WSUS, Intune, ConfigMgr, etc.). After deployment, audit that devices have reached the required build numbers — an update “offered” is not the same as “installed.”
  • If you cannot immediately patch a subset of systems, strengthen surrounding controls: reduce local accounts, restrict software execution, monitor for unexpected driver load events, and limit interactive logons to servers. These are not substitutes, but they reduce the risk of post-compromise escalation.

The Outlook

Microsoft’s advisory for CVE-2026-50396 currently shows no evidence of active exploitation, but the situation can change. Security researchers often dissect patches to understand the vulnerability, which can lead to proof-of-concept code and potentially in-the-wild attacks. Keep an eye on the MSRC advisory page for any revisions, and watch for threat intelligence reports on this CVE.

For now, the July 2026 updates are the definitive fix. The kernel flaw is real, but the practical risk is manageable with timely patching. The real-world impact will depend on how quickly organizations confirm their build numbers — not just their update compliance status.