Microsoft’s July 2026 security updates close a network-based denial-of-service vulnerability in the Windows Local Security Authority Subsystem Service (LSASS) that allowed an authenticated attacker to crash critical systems, forcing a restart and disrupting authentication across an enterprise. The flaw, tracked as CVE-2026-49799, carries a CVSS 3.1 score of 6.5 and affects all supported Windows client and server versions, from Windows 10 to the latest Windows 11 26H1, and Windows Server 2012 through Server 2025.
The Flaw: A Resource-Hungry Attack on LSASS
The vulnerability stems from uncontrolled resource consumption (CWE-400) in LSASS, the process responsible for user logins, credential validation, and access token creation. By sending specially crafted network traffic, an attacker with low privileges can exhaust LSASS resources until the service fails. Unlike many denial-of-service bugs, this one requires no user interaction—just a network path and valid credentials, even those of a limited user account.
Microsoft’s advisory explicitly rates the attack complexity as low and the attack vector as network, meaning the barrier to exploitation is relatively low once an attacker gains a foothold. However, the requirement for authentication provides an important boundary: this isn’t an internet-facing, remote-code-execution scenario. An intruder must already have compromised an account or be operating from within the network. But in today’s environment of credential theft, password spraying, and lateral movement, that’s far from reassuring.
The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms that only availability is impacted—no data theft or privilege escalation is possible through this vulnerability alone. But for servers that handle authentication, availability is everything.
The Real Risk: When LSASS Goes Down
A stable LSASS is not a luxury; it’s a cornerstone of Windows security. When it crashes, the system can’t process logins, authenticate network connections, or enforce security policies. On a workstation, that means an interrupted session and lost work. On a member server, applications and services become unreachable. But the gravest damage unfolds on a domain controller.
Active Directory environments rely on domain controllers to field authentication requests continuously. A crashed domain controller that forces a restart can blackhole logon traffic for minutes, preventing users from accessing file shares, email, or line-of-business apps. In poorly designed networks where a single domain controller serves a remote site, an attacker could isolate that location entirely.
Microsoft hasn’t clarified whether the resource exhaustion can be repeated in quick succession. If it can, a determined attacker might keep a server in a reboot loop, effectively turning a denial-of-service into a persistent outage. Administrators should assume the worst until research proves otherwise.
The fact that the vulnerability was not publicly disclosed or seen in active attacks at the time of the advisory—as noted by both Microsoft and the Zero Day Initiative—provides only temporary comfort. Once patches are reverse-engineered, attack code often appears. The window between fix availability and exploitation can be narrow, especially for a bug this straightforward.
Systems in the Crosshairs and Build Numbers to Check
Microsoft has released fixes for a sweeping range of operating systems. The July 2026 cumulative updates—among them KB5099540 for Windows Server 2022—contain the corrective code. Systems that install any subsequent monthly update will also receive the protection, since Windows cumulative updates supersede their predecessors.
But verifying patch installation is trickier than it sounds. Management consoles may report success when a restart is still pending, or a servicing stack failure rolled back the fix. Savvy admins check the OS build number directly. Here are the corrected builds for key versions, according to Microsoft’s documentation:
- Windows 11 24H2: build 26100.8875 or later
- Windows 11 25H2: build 26200.8875 or later
- Windows 11 26H1: build 28000.2269 or later
- Windows Server 2022: build 20348.5386 or later
- Windows Server 2025: build 26100.33158 or later
- Windows Server 2019: build 17763.9020 or later
- Windows Server 2016: build 14393.9339 or later
Older Windows 10 editions (1607, 1809, 21H2, 22H2) and Server 2012/2012 R2 are also covered, provided they have active support or Extended Security Updates. The broad reach reflects LSASS’s deep roots in the OS, making every version potentially susceptible.
Your Patch Plan: Test, Deploy, Verify
CVE-2026-49799 isn’t marked as exploited, so organizations can take a measured—yet swift—approach. Patch domain controllers first. These are the crown jewels of authentication, and a crashing DC can cascade into a major incident. Next, target any server that handles high volumes of network authentications: Remote Desktop Services hosts, VPN gateways, Exchange servers, and web application proxies.
Client workstations are lower priority, but only relatively. A crashed laptop frustrates one user; a crashed jump host or kiosk might block many. Teams should roll out the updates through their usual ring deployment, accelerating where risk dictates.
Beyond patching, there’s no official workaround. Standard security practices like network segmentation, strict firewall rules, and just-in-time privileged access can reduce the attack surface, but they won’t fix the underlying flaw. Microsoft hasn’t provided any registry key to temporarily disable the vulnerable code path. The patch is the only reliable remedy.
Security teams should also scrutinise their SIEM or endpoint detection tools for unexplained LSASS spikes or unexpected system reboots, particularly those correlated with authentication attempts from a new or low-privileged account. While these symptoms aren’t exclusive to CVE-2026-49799, a cluster of such events might indicate attempted exploitation before the patch was applied.
What to Watch Next
As with any patch, the clock is ticking. Even though no public proof-of-concept exists today, the details are sufficient for security researchers to start hunting for the vulnerable code. Expect a write-up, and possibly a functional exploit, within weeks. Microsoft’s advisory gave the world what it needed to know: uncontrolled resource consumption in LSASS. That alone can guide attackers to the right protocol or call sequence.
The absence of an immediate emergency doesn’t mean this flaw can wait until the next Patch Tuesday cycle. Attackers frequently chain low-severity bugs to create powerful attack chains. A domain-joined standard user account that can also crash LSASS at will? That’s a gift to any ransomware affiliate looking to spread chaos before deploying payloads.
Check your builds, test the July updates in a staging environment, and push them to production—especially to those authentication-critical servers. And keep an eye on the security research feeds. If an exploit drops, you’ll want to know before your SOC does.