Microsoft released its July 14, 2026 security updates, closing a critical flaw in a core Windows networking component that could let attackers with just basic user access seize full control of a machine. The vulnerability, tracked as CVE-2026-57093, sits inside the Windows Ancillary Function Driver for WinSock—known as AFD—and earned a CVSS score of 7.0, making it a priority for patching across both consumer and enterprise devices.

The root cause is a use-after-free memory corruption bug in the kernel-mode driver. When triggered, it opens an elevation-of-privilege path: a low-privileged account or malware process can break out of its sandbox and run code at the SYSTEM level, completely bypassing any security boundaries set by user permissions, User Account Control, or application controls.

What the Patch Actually Fixes

The AFD driver is a kernel-level service that underpins nearly all Windows networking operations. Applications that talk to the internet, local networks, or even local loopback services rely on it to manage sockets. When the driver mishandles memory—continuing to reference blocks after they’ve been freed—an attacker who finds a way to manipulate that freed memory can hijack execution flow. Microsoft’s advisory confirms the use-after-free condition and states that an authenticated local attacker could exploit it to gain higher privileges. No user interaction is needed once the attacker has a foothold on the system.

The fix arrives through Windows’ regular cumulative update mechanism, not as a standalone hotfix. This means any device that installs the July 2026 quality update (or any later cumulative update) will receive the patch automatically. The specific KB numbers and build numbers vary by version:

  • Windows 11 24H2 and 25H2 receive KB5101650, reaching builds 26100.8875 and 26200.8875 respectively.
  • Windows 11 26H1 gets KB5101649, build 28000.2525.
  • Windows 10 21H2 and 22H2 get KB5099539, taking them to builds 19044.7548 and 19045.7548.
  • Windows Server 2025 secures after build 26100.33158, Server 2022 after 20348.5386, Server 2019 after 17763.9020, and Server 2016 after 14393.9339. Both full and Server Core installations are covered.

The update also applies to Windows 10 version 1607 and 1809, Windows Server 2012, and 2012 R2 through their own servicing branches—and across x86, x64, and Arm64 architectures where supported. So the coverage is as broad as it gets for currently supported Windows releases.

What This Means for You

For everyday users and home PCs

If your device is set to receive automatic updates, you likely already have this patch. The simplest check: open Settings, click Windows Update, and confirm no pending updates remain. Your build number should match or exceed the threshold for your Windows version. This isn’t a vulnerability that can be triggered just by visiting a website or opening an email—an attacker needs local access first. But that local access can come in many forms: a malicious download, a previously installed trojan, or even a shared family account that gets compromised. Installing the update removes the easiest path from a basic user compromise to total system takeover.

One caveat: Microsoft has temporarily pulled KB5101650 for a narrow set of Dell systems using Intel processors due to reports of unexpected shutdowns, performance drops, and battery issues. If your Dell machine hasn’t received the update yet, don’t force it manually—wait for Microsoft and Dell to resolve the hardware interaction. Everyone else can install as normal.

For IT administrators and system managers

This vulnerability matters most in environments where users share devices, where remote desktop or VPN connections expose low-privilege accounts, or where developers regularly run untrusted code. An attacker with standard user rights on a file server, jump box, or kiosk machine could use this bug to elevate to administrator and then move laterally through the network. Patching should therefore be prioritized across all endpoints, not just high-privilege machines.

Validation is straightforward: confirm that the appropriate July cumulative update is installed. Tools like Intune, WSUS, or third-party patch managers can report on build numbers. A simple PowerShell command like Get-ComputerInfo -Property OsBuildNumber will surface the build. If the number equals or exceeds the patched build, you’re protected. Remember that future cumulative updates will also carry this fix, so if you’re already rolling out August’s patches when you read this, you’re covered.

Microsoft also warns about a separate networking hardening change in the July update: unregistered third-party Transport Driver Interface modules used by some legacy or custom networking software may stop working. Test any in-house tools that hook into the Windows network stack before broad deployment, especially on servers running VPN clients, security agents, or industrial control applications.

How We Got Here

AFD vulnerabilities aren’t a new story. Because the driver sits in the kernel and touches so many networking operations, it’s been a recurring target for security researchers and attackers alike. Use-after-free bugs in particular are a class of memory safety flaw that modern languages largely prevent, but the Windows kernel still relies heavily on C, where manual memory management leaves room for errors. Microsoft has been gradually adding mitigations—like Control Flow Guard and Kernel Data Protection—but these can’t catch every instance of a dangling pointer.

This specific CVE didn’t appear out of nowhere. It was reported through responsible disclosure, and Microsoft rates its exploitation likelihood as high complexity, meaning that crafting a reliable exploit isn’t trivial. But the CVSS vector—local, low privileges, no user interaction—tells defenders that once an attacker lands on a box, the race to patch begins. History shows that exploit code often follows within weeks of a patch release, as researchers reverse-engineer the update to understand the bug. Patching early keeps you ahead of that curve.

What to Do Now

  1. Check your build number. On any PC, open Start, type winver, and hit Enter. Note the OS build. Compare it against the patched thresholds listed above. If your build is lower, you’re vulnerable.
  2. Install the latest cumulative update. Go to Settings > Windows Update, or for servers, use your standard deployment pipeline. There’s no separate “CVE-2026-57093” fix to search for—simply getting current on July 2026 updates is sufficient.
  3. Test for TDI compatibility. If you maintain legacy networking software, run a pilot on a patched test machine. Check for any failures in socket creation or data transfer. Microsoft says registered TDI transports are unaffected, so most modern software will be fine. But older VPN clients or custom monitoring tools could break.
  4. For Dell/Intel systems affected by the KB5101650 hold: Monitor Dell’s support site and Microsoft’s known issues page. Do not circumvent the block. If your system is held, ensure other security mitigations are in place—like limiting local logon rights—until the update becomes available.
  5. Audit your larger security posture. This bug reinforces why least-privilege principles matter. If users don’t have unnecessary local admin rights, an attacker who compromises their account still faces an extra hurdle. Consider reviewing access controls alongside your patching cadence.

Outlook

Microsoft will continue to refine kernel security in upcoming releases. The TDI hardening change hints at more scrutiny on long-standing networking interfaces. In the near term, the company is likely to publish additional details on the Dell/Intel issue, and once the hold is lifted, those systems will start receiving KB5101650 automatically. For everyone else, the AFD fix should be treated as a standard monthly update—routine but non-negotiable. Keep watching for post-patch exploit code, and if you’re managing servers that can’t be rebooted easily, plan your maintenance window now rather than waiting for a more dangerous second-stage attack to emerge.