Microsoft’s July 14, 2026, security updates resolved an information disclosure flaw in the Windows HTTP protocol stack that could let any local user—without needing administrator rights—read privileged memory. The flaw, tracked as CVE-2026-50420, affects Windows 11 24H2, 25H2, 26H1, and Windows Server 2025. Although exploitation requires local access, the potential to siphon sensitive data from kernel memory makes it a high-priority patch for systems exposed to untrusted users.
What Actually Changed: A Kernel-Mode Driver Receives a Boundary Check
At the heart of this patch is an out-of-bounds read in HTTP.sys, the kernel-mode component that handles HTTP traffic for services like Internet Information Services (IIS) and any application built on Windows HTTP Server APIs. When triggered, the flaw allowed a local attacker to read beyond the intended boundaries of a memory buffer, potentially exposing data that should have been off-limits—ranging from request contents and session details to kernel addresses and credentials.
Microsoft classified the vulnerability with a CVSS 3.1 base score of 6.2 and labeled it “Important” in its Security Update Guide. The attack vector is local (AV:L), complexity is low, and no privileges are required (PR:N). That means even a guest account or a sandboxed process on a shared machine could have exploited the bug. The confidentiality impact is marked as high, yet there is no effect on integrity or availability.
The patch arrived in the following cumulative updates:
- Windows 11 24H2 and 25H2: KB5101650, advancing systems to builds 26100.8875 and 26200.8875, respectively.
- Windows 11 26H1: KB5101649, taking the OS to build 28000.2525.
- Windows Server 2025 (including Server Core): KB5099536, moving to build 26100.33158.
Notably, these are the only affected versions. Older Windows releases and Windows Server editions do not carry this specific vulnerability, narrowing the exposure surface substantially.
What It Means for You
For Home Users and Small Businesses
If you run Windows 11 on a personal laptop or desktop, this update is another routine Patch Tuesday installment. The risk of exploitation is minimal if your device is used solely by you or trusted family members. The bug requires an attacker to already have a foothold on the machine—either through another compromise, shared physical access, or a malicious application downloaded and run. Apply the cumulative update through Windows Update as you normally would, and verify your build number afterward.
For IT Administrators and Managed Environments
The calculus changes when you manage shared or multi-user systems. Remote Desktop Session Hosts, developer workstations running untested code, virtual desktop infrastructure, and servers running third-party workloads all present realistic paths for a local attacker to reach the vulnerable HTTP.sys code. Because no privileges are required, a low-impact user account is enough to trigger the information leak.
Server administrators, in particular, should note an additional change bundled into KB5099536 for Windows Server 2025. Microsoft introduced networking hardening that enforces registration requirements for third-party Transport Driver Interface (TDI) transports. Applications that use sockets over unregistered third-party TDI transports may break after installing the update. Before you deploy broadly, test legacy networking software, antivirus tools, and any custom transport drivers in a pilot group.
Security scanners should flag the fixed builds, not just the visible presence of HTTP.sys or IIS. Even if you don’t run a web server, the vulnerable kernel driver remains on the system and can be exercised locally.
For Developers
If you build or maintain applications that rely on the Windows HTTP stack (WinHTTP or kernel-mode HTTP APIs), there is no immediate change in behavior beyond the security fix. However, if your software includes a custom TDI transport, ensure it is properly registered to avoid compatibility issues after applying KB5099536 on Server 2025. No recompilation is required, but test your full networking stack against the updated builds.
How We Got Here: An Out-of-Bounds Read in a Legacy Network Component
HTTP.sys has a long and occasionally troubled history. As a kernel-mode driver dating back to Windows Server 2003, it has been the target of high-profile remote vulnerabilities—most notoriously CVE-2015-1635 (MS15-034), which allowed remote code execution via a crafted HTTP request. That legacy often causes administrators to brace for the worst when a new HTTP.sys CVE appears.
CVE-2026-50420 is a different animal. It is an out-of-bounds read (CWE-125), not a remote code execution vector. Microsoft and the National Vulnerability Database both characterize the attack as local. An attacker must already be on the system, though that foothold does not require elevated privileges. The vulnerability is in the core HTTP protocol stack, so any local process that can trigger HTTP.sys operations could potentially exploit it.
The narrow scope of affected versions suggests Microsoft isolated the bug to a specific code branch introduced or modified in recent releases. Windows 11 24H2, 25H2, and 26H1 share a common kernel lineage, while Windows Server 2025 was built alongside them. Older Windows versions likely use a different HTTP.sys implementation or lack the specific vulnerable code path.
Microsoft confirmed the vulnerability’s existence (report confidence is “Confirmed”) but noted at the time of release that there was no evidence of public disclosure or active exploitation. That absence is reassuring, but it shouldn’t breed complacency. Kernel memory disclosure bugs are often chained with other exploits to bypass security mitigations like Address Space Layout Randomization (ASLR) or to steal credentials.
What to Do Now: Patching Strategies and Verification
-
Install the July cumulative update. Apply KB5101650, KB5101649, or KB5099536 as appropriate for your OS. For most organizations, this fits into your normal Patch Tuesday deployment window. If you delay non-critical updates, treat this one as priority for shared servers or machines accessible to untrusted users.
-
Verify the build number. A quick win is checking that systems are at or above the fixed builds listed earlier. This is especially important for Windows 11 26H1, where the CVE database lists a lower build boundary that could cause confusion. Use
winveror a management tool to confirm. -
Test for TDI-related issues on Server 2025. Before rolling out KB5099536 broadly, check any software that might use third-party TDI transports. If you find a failure, work with the vendor or register the transport properly. Microsoft has documented the change in the update’s release notes.
-
Don’t disable IIS on its own. HTTP.sys is a core system component used by many services beyond IIS. Removing the IIS role does not unload the HTTP.sys driver or eliminate the vulnerable code path. The only sure mitigation is the cumulative update.
-
Monitor for future indicators of compromise. While the bug was not exploited in the wild at disclosure time, keep an eye on threat intelligence feeds for any signs that this CVE is being weaponized. Kernel memory leaks often become more valuable as more details emerge.
Outlook: When Kernel Leaks Meet Lateral Movement
Information disclosure bugs rarely dominate Patch Tuesday headlines, but they quietly erode security boundaries. A local kernel memory leak can act as a stepping stone, turning a low-value user compromise into a full privilege escalation or lateral movement. Because HTTP.sys is ubiquitous on Windows, the patch is not one to ignore.
Microsoft’s advisory leaves important questions unanswered: exactly what kind of data can be leaked, whether the leak rate is fast enough to extract credentials, and whether the bug is exploitable from a Hyper-V guest or a container. Without technical details, the prudent stance is to assume a worst-case scenario and patch accordingly.
The July 2026 update also hints at broader hardening efforts in the Windows networking stack, as seen in the TDI registration changes. Future Patch Tuesdays may bring similar tightening of legacy components. For now, apply the update, check your builds, and keep your ears open.