This report contains detail for the following vulnerabilities:
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET | CVE-2026-50649 | .NET Remote Code Execution Vulnerability | Important |
| .NET | CVE-2026-50525 | .NET Denial of Service Vulnerability | Important |
| .NET | CVE-2026-50528 | .NET Security Feature Bypass Vulnerability | Important |
| .NET | CVE-2026-47302 | .NET Denial of Service Vulnerability | Important |
| .NET | CVE-2026-50659 | .NET Spoofing Vulnerability | Important |
| .NET | CVE-2026-50526 | .NET Tampering Vulnerability | Important |
| .NET | CVE-2026-47304 | .NET Security Feature Bypass Vulnerability | Important |
| .NET | CVE-2026-50651 | .NET Denial of Service Vulnerability | Important |
| .NET Core | CVE-2026-57108 | .NET Denial of Service Vulnerability | Important |
| .NET Framework | CVE-2026-50524 | .NET Framework Denial of Service Vulnerability | Important |
| .NET Framework | CVE-2026-50650 | .NET Framework Elevation of Privilege Vulnerability | Important |
| .NET Framework | CVE-2026-50527 | .NET Framework Denial of Service Vulnerability | Important |
| .NET Framework | CVE-2026-50646 | .NET Framework Remote Code Execution Vulnerability | Important |
| .NET Framework | CVE-2026-50648 | .NET Framework Denial of Service Vulnerability | Important |
| Active Directory Certificate Services (AD CS) | CVE-2026-54121 | Active Directory Certificate Services Elevation of Privilege Vulnerability | Critical |
| Active Directory Domain Services | CVE-2026-50366 | Windows Active Directory Domain Services Denial of Service Vulnerability | Important |
| Active Directory Domain Services | CVE-2026-49164 | Windows Active Directory Domain Services Remote Code Execution Vulnerability | Critical |
| Active Directory Domain Services | CVE-2026-49178 | Windows Active Directory Domain Services Remote Code Execution Vulnerability | Important |
| Active Directory Domain Services | CVE-2026-57976 | Windows Active Directory Domain Services Denial of Service Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-50368 | Windows Active Directory Federation Services Denial of Service Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-50304 | Windows Active Directory Federation Services Denial of Service Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-50695 | Windows Active Directory Federation Services Denial of Service Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-54983 | Windows Active Directory Federation Services Denial of Service Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-58529 | Windows Active Directory Federation Services (ADFS) Information Disclosure Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-56155 | Active Directory Federation Services Elevation of Privilege Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-50647 | Active Directory Federation Server Denial of Service Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-50355 | Windows Active Directory Federation Services Denial of Service Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-50411 | Windows Active Directory Federation Services Denial of Service Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-50684 | Active Directory Federation Server Spoofing Vulnerability | Important |
| Active Directory Federation Services (AD FS) | CVE-2026-50324 | Windows Active Directory Federation Services Denial of Service Vulnerability | Important |
| Age of Empires II: Definitive Edition Game | CVE-2026-50663 | Game: Age of Empires II: Definitive Edition Remote Code Execution Vulnerability | Important |
| ASP.NET Core | CVE-2026-45646 | OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability | Important |
| ASP.NET Core | CVE-2026-50506 | OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability | Important |
| ASP.NET Core | CVE-2026-56170 | ASP.NET Core Denial of Service Vulnerability | Important |
| ASP.NET Core | CVE-2026-47300 | ASP.NET Core Elevation of Privilege Vulnerability | Important |
| ASP.NET Core | CVE-2026-47303 | ASP.NET Core Elevation of Privilege Vulnerability | Important |
| Azure Active Directory | CVE-2026-50653 | Azure Active Directory Denial of Service Vulnerability | Important |
| Azure Active Directory | CVE-2026-50652 | Azure Active Directory Denial of Service Vulnerability | Important |
| Azure CycleCloud | CVE-2026-57969 | Azure CycleCloud Elevation of Privilege Vulnerability | Important |
| Azure CycleCloud | CVE-2026-58279 | Azure CycleCloud Elevation of Privilege Vulnerability | Important |
| Azure Monitor Agent | CVE-2026-47632 | Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability | Important |
| Azure OpenAI | CVE-2026-45499 | Azure OpenAI Elevation of Privilege Vulnerability | Critical |
| Azure Spring Apps | CVE-2026-50338 | Azure Spring Apps Elevation of Privilege Vulnerability | Important |
| Azure Synapse | CVE-2026-26145 | Microsoft Azure Synapse Elevation of Privilege Vulnerability | Critical |
| Code Integrity DLL (ci.dll) | CVE-2026-50491 | Code Integrity DLL (ci.dll) Elevation of Privilege Vulnerability | Important |
| Composite Image File System Driver | CVE-2026-50381 | Composite Image File System driver (cimfs.sys) Information Disclosure Vulnerability | Important |
| Content Delivery Manager | CVE-2026-50427 | Content Delivery Manager Elevation of Privilege Vulnerability | Important |
| Desktop Window Manager | CVE-2026-58634 | Desktop Window Manager Elevation of Privilege Vulnerability | Important |
| Desktop Window Manager | CVE-2026-50692 | Desktop Window Manager Elevation of Privilege Vulnerability | Important |
| Desktop Window Manager | CVE-2026-58633 | Desktop Window Manager Elevation of Privilege Vulnerability | Important |
| Extensible Storage Engine (ESENT) | CVE-2026-57088 | Extensible Storage Engine (ESENT) Elevation of Privilege Vulnerability | Important |
| Github Copilot | CVE-2026-50510 | GitHub Copilot Remote Code Execution Vulnerability | Important |
| GitHub Copilot and Visual Studio | CVE-2026-41109 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability | Important |
| GitHub Copilot and Visual Studio Code | CVE-2026-47282 | GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability | Important |
| HTTP/2 | CVE-2026-49788 | HTTP/2 Denial of Service Vulnerability | Important |
| M365 Copilot | CVE-2026-41106 | Microsoft 365 Copilot Elevation of Privilege Vulnerability | Critical |
| Mariner | CVE-2026-60000 | sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication. | Low |
| Mariner | CVE-2026-8925 | SASL double-free | Moderate |
| Mariner | CVE-2026-59997 | internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection. | Moderate |
| Mariner | CVE-2026-60001 | sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay. | Moderate |
| Mariner | CVE-2026-8926 | password leak with netrc and user in URL | Moderate |
| Mariner | CVE-2026-9080 | UAF after pause in socket callback | Low |
| Mariner | CVE-2026-55952 | TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension | Important |
| Mariner | CVE-2026-53361 | af_unix: Set gc_in_progress to true in unix_gc(). | Moderate |
| Mariner | CVE-2026-59996 | scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations. | Moderate |
| Mariner | CVE-2026-54886 | SSH SFTP server denial of service via extended channel data infinite loop | Moderate |
| Mariner | CVE-2026-53359 | KVM: x86: Fix shadow paging use-after-free due to unexpected role | Important |
| Mariner | CVE-2026-53362 | ipv6: account for fraggap on the paged allocation path | Important |
| Mariner | CVE-2026-59995 | sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server. | Moderate |
| Mariner | CVE-2026-14355 | ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD | Moderate |
| Mariner | CVE-2026-8286 | wrong STARTTLS connection reuse | Important |
| Mariner | CVE-2026-9545 | exposing HTTP/3 early data | Important |
| Mariner | CVE-2026-53352 | signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() | Moderate |
| Mariner | CVE-2026-12413 | IKEv2 Denial of Service via malformed fragmentation | Important |
| Mariner | CVE-2026-53343 | ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow | Important |
| Mariner | CVE-2026-53329 | drm/amd/display: Use krealloc_array() in dal_vector_reserve() | Important |
| Mariner | CVE-2026-14258 | Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling | Moderate |
| Mariner | CVE-2026-50721 | IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload | Important |
| Mariner | CVE-2026-56149 | Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Service | Moderate |
| Mariner | CVE-2026-53349 | netfilter: nf_conntrack: destroy stale expectfn expectations on unregister | Moderate |
| Mariner | CVE-2026-50722 | IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload | Important |
| Mariner | CVE-2026-12480 | Arbitrary HDF5 File Read via Virtual Dataset Bypass in keras-team/keras | Moderate |
| Mariner | CVE-2026-8924 | trailing dot domain super cookie | Important |
| Mariner | CVE-2026-14647 | onnx onnxruntime old.cc convPoolShapeInference_opset19 out-of-bounds | Low |
| Mariner | CVE-2026-11856 | cross-origin Digest auth state leak | Moderate |
| Mariner | CVE-2026-10536 | HTTP/2 stream-dependency tree UAF | Low |
| Mariner | CVE-2026-53355 | net: rds: clear i_sends on setup unwind | Moderate |
| Mariner | CVE-2026-53347 | drm/virtio: Fix driver removal with disabled KMS | Moderate |
| Mariner | CVE-2026-8932 | incomplete mTLS config matching in conn reuse | Important |
| Mariner | CVE-2026-8458 | wrong reuse for different services | Moderate |
| Mariner | CVE-2026-9547 | SSH improper host validation | Critical |
| Mariner | CVE-2026-59999 | In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not. | Moderate |
| Mariner | CVE-2026-12064 | proto-default skips SSH verification | Important |
| Mariner | CVE-2026-54891 | Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl | Moderate |
| Mariner | CVE-2026-9079 | stale proxy password leak | Important |
| Mariner | CVE-2026-8927 | env-set cross-proxy Digest auth state leak | Moderate |
| Mariner | CVE-2026-55999 | xorg-server / xwayland glamor font atlas Heap Buffer Overflow | Important |
| Mariner | CVE-2026-14191 | WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader | Important |
| Mariner | CVE-2026-56001 | libXfont2 BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow | Important |
| Mariner | CVE-2026-56003 | libXfont2 computeProps Property Buffer Heap Buffer Overflow | Important |
| Mariner | CVE-2026-53337 | net: bonding: fix NULL pointer dereference in bond_do_ioctl() | Moderate |
| Mariner | CVE-2026-53356 | drm/i915/gem: Fix phys BO pread/pwrite with offset | Important |
| Mariner | CVE-2026-53336 | nvmem: layouts: onie-tlv: fix hang on unknown types | Moderate |
| Mariner | CVE-2026-53327 | debugobjects: Do not fill_pool() if pi_blocked_on | Moderate |
| Mariner | CVE-2026-49090 | Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service | Moderate |
| Mariner | CVE-2026-53357 | Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() | Moderate |
| Mariner | CVE-2026-53353 | hsr: Remove WARN_ONCE() in hsr_addr_is_self(). | Moderate |
| Mariner | CVE-2026-53339 | i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() | Moderate |
| Mariner | CVE-2026-59818 | etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation | Moderate |
| Mariner | CVE-2026-59871 | node-tar: Process crash via PAX numeric path type confusion | Moderate |
| Mariner | CVE-2026-59873 | node-tar: Decompression/parse DoS via unlimited input | Critical |
| Mariner | CVE-2026-58250 | NATS Server: Pre-auth server crash via double INFO in leafnode handshake | Moderate |
| Mariner | CVE-2026-15308 | Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations | Important |
| Mariner | CVE-2026-40469 | Heap buffer overflow in gawk | Moderate |
| Mariner | CVE-2026-40467 | Use after free in gawk | Moderate |
| Mariner | CVE-2026-59874 | node-tar: Negative tar entry size causes infinite loop in archive replace | Important |
| Mariner | CVE-2026-40553 | Stack-based buffer overflow in gawk | Moderate |
| Mariner | CVE-2026-20243 | ClamAV ALZ Archive Processing Denial of Service Vulnerability | Important |
| Mariner | CVE-2026-14461 | Out-of-bound read in mtr | Moderate |
| Mariner | CVE-2026-56289 | Loop with Unreachable Exit Condition in GNU patch | Moderate |
| Mariner | CVE-2026-20213 | ClamAV PE File Format Processing Out-of-Bounds Memory Corruption Vulnerability | Important |
| Mariner | CVE-2026-59922 | Mistune plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and `^^x^^` markers (strikethrough / mark / insert) | Important |
| Mariner | CVE-2026-59869 | js-yaml: YAML merge-key chains can force quadratic CPU consumption | Important |
| Mariner | CVE-2026-14739 | DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders | Important |
| Mariner | CVE-2026-59928 | Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions | Important |
| Mariner | CVE-2026-20216 | ClamAV InstallShield File Format Processing Resource Exhaustion Vulnerability | Important |
| Mariner | CVE-2026-20217 | ClamAV PESpin File Format Processing Out-of-Bounds Memory Corruption Vulnerability | Important |
| Mariner | CVE-2026-20214 | ClamAV FSG File Format Processing Out-of-Bounds Memory Corruption Vulnerability | Important |
| Mariner | CVE-2026-20215 | ClamAV 7Zip File Format Processing Out-of-Bounds Memory Corruption Vulnerability | Important |
| Mariner | CVE-2026-14380 | DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile | Important |
| Mariner | CVE-2026-14740 | DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment | Important |
| Mariner | CVE-2026-20244 | ClamAV DMG File Processing Denial of Service Vulnerability | Important |
| Mariner | CVE-2026-59998 | sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory. | Moderate |
| Mariner | CVE-2026-56000 | xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent() | Critical |
| Mariner | CVE-2026-38968 | ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing. | Critical |
| Mariner | CVE-2026-60002 | ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.) | Important |
| Mariner | CVE-2026-56002 | libXfont2 PCF Font Parsing Heap Buffer Overflow | Important |
| Mariner | CVE-2026-56288 | NULL Pointer Dereference in GNU patch | Moderate |
| Mariner | CVE-2026-59856 | Vim: Arbitrary Code Execution via PHP Omni-Completion | Important |
| Mariner | CVE-2026-38969 | ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling. | Moderate |
| Mariner | CVE-2026-54908 | Pion DTLS: Denial of service via panic while parsing a crafted ECDHE_PSK ServerKeyExchange message | Moderate |
| Mariner | CVE-2026-59926 | Mistune: XSS via unescaped class option in Admonition directive | Moderate |
| Mariner | CVE-2026-40468 | Heap buffer overflow in gawk | Low |
| Mariner | CVE-2026-58253 | NATS Server: Route API Auth Bypass | Important |
| Mariner | CVE-2026-58209 | NATS Server: MQTT retained and QoS replay bypass subscribe deny filters | Moderate |
| Mariner | CVE-2026-53354 | arm64: errata: Mitigate TLBI errata on various Arm CPUs | Important |
| Mariner | CVE-2026-53332 | slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd | Moderate |
| Mariner | CVE-2026-53345 | KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying | Moderate |
| Mariner | CVE-2026-41579 | runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations | Low |
| Mariner | CVE-2026-58252 | NATS Server: Subscribe Authz Bypass via Wildcard-Overlap | Moderate |
| Mariner | CVE-2026-59925 | inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs | Important |
| Mariner | CVE-2026-59890 | setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+ | Moderate |
| Mariner | CVE-2026-59930 | Mistune toc / TableOfContents directive: heading IDs use predictable `toc_N` numbering with no slugification, allowing collision with attacker-controlled `id="toc_N"` content | Moderate |
| Mariner | CVE-2026-58207 | NATS Server: Remote crash via integer overflow in Connz pagination | Important |
| Mariner | CVE-2026-58208 | NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled | Moderate |
| Mariner | CVE-2026-58251 | NATS Server: Queue Subscribe Authz Bypass | Moderate |
| Microsoft 365 Copilot for iOS | CVE-2026-58617 | M365 Copilot for iOS Elevation of Privilege Vulnerability | Important |
| Microsoft Bing App for IOS | CVE-2026-58595 | Microsoft Bing App for IOS Spoofing Vulnerability | Important |
| Microsoft Copilot | CVE-2026-48561 | Microsoft Copilot Remote Code Execution Vulnerability | Critical |
| Microsoft Defender | CVE-2026-50658 | Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability | Important |
| Microsoft Defender | CVE-2026-55012 | Microsoft Defender Remote Code Execution Vulnerability | Critical |
| Microsoft Defender | CVE-2026-50657 | Microsoft Defender for Endpoint for Mac Information Disclosure Vulnerability | Important |
| Microsoft Defender | CVE-2026-55011 | Microsoft Defender Remote Code Execution Vulnerability | Critical |
| Microsoft Defender for Endpoint | CVE-2026-56178 | Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability | Important |
| Microsoft Dynamics NAV | CVE-2026-55944 | Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability | Critical |
| Microsoft Edge (Chromium-based) | CVE-2026-14099 | Chromium: CVE-2026-14099 Use after free in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14096 | Chromium: CVE-2026-14096 Object lifecycle issue in Input | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14382 | Chromium: CVE-2026-14382 Insufficient validation of untrusted input in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14067 | Chromium: CVE-2026-14067 Use after free in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14075 | Chromium: CVE-2026-14075 Policy bypass in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14136 | Chromium: CVE-2026-14136 Incorrect security UI in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14128 | Chromium: CVE-2026-14128 Insufficient data validation in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14137 | Chromium: CVE-2026-14137 Insufficient validation of untrusted input in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14385 | Chromium: CVE-2026-14385 Heap buffer overflow in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14114 | Chromium: CVE-2026-14114 Inappropriate implementation in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14101 | Chromium: CVE-2026-14101 Insufficient policy enforcement in Sandbox | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14126 | Chromium: CVE-2026-14126 Incorrect security UI in UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14123 | Chromium: CVE-2026-14123 Incorrect security UI in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14066 | Chromium: CVE-2026-14066 Insufficient validation of untrusted input in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13987 | Chromium: CVE-2026-13987 Incorrect security UI in Mobile | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13991 | Chromium: CVE-2026-13991 Insufficient validation of untrusted input in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13992 | Chromium: CVE-2026-13992 Inappropriate implementation in UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13980 | Chromium: CVE-2026-13980 Incorrect security UI in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13975 | Chromium: CVE-2026-13975 Out of bounds read in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13974 | Chromium: CVE-2026-13974 Integer overflow in Safe Browsing | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13981 | Chromium: CVE-2026-13981 Inappropriate implementation in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13998 | Chromium: CVE-2026-13998 Incorrect security UI in File Input | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14005 | Chromium: CVE-2026-14005 Use after free in Omnibox | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14028 | Chromium: CVE-2026-14028 Incorrect security UI in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13997 | Chromium: CVE-2026-13997 Incorrect security UI in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13994 | Chromium: CVE-2026-13994 Inappropriate implementation in Credential Management | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13995 | Chromium: CVE-2026-13995 Insufficient validation of untrusted input in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13983 | Chromium: CVE-2026-13983 Incorrect security UI in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14386 | Chromium: CVE-2026-14386 Out of bounds read in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14407 | Chromium: CVE-2026-14407 Inappropriate implementation in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14409 | Chromium: CVE-2026-14409 Inappropriate implementation in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14408 | Chromium: CVE-2026-14408 Uninitialized Use in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14405 | Chromium: CVE-2026-14405 Uninitialized Use in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14406 | Chromium: CVE-2026-14406 Out of bounds read in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14404 | Chromium: CVE-2026-14404 Inappropriate implementation in PDFium | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14402 | Chromium: CVE-2026-14402 Uninitialized Use in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14414 | Chromium: CVE-2026-14414 Insufficient validation of untrusted input in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14415 | Chromium: CVE-2026-14415 Inappropriate implementation in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14416 | Chromium: CVE-2026-14416 Out of bounds read in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14413 | Chromium: CVE-2026-14413 Uninitialized Use in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14411 | Chromium: CVE-2026-14411 Insufficient validation of untrusted input in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14410 | Chromium: CVE-2026-14410 Inappropriate implementation in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14412 | Chromium: CVE-2026-14412 Insufficient validation of untrusted input in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14391 | Chromium: CVE-2026-14391 Integer overflow in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14395 | Chromium: CVE-2026-14395 Out of bounds write in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14396 | Chromium: CVE-2026-14396 Out of bounds read in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14393 | Chromium: CVE-2026-14393 Use after free in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14388 | Chromium: CVE-2026-14388 Out of bounds read in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14390 | Chromium: CVE-2026-14390 Use after free in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14392 | Chromium: CVE-2026-14392 Out of bounds write in Tint | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14401 | Chromium: CVE-2026-14401 Insufficient validation of untrusted input in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14400 | Chromium: CVE-2026-14400 Out of bounds write in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14403 | Chromium: CVE-2026-14403 Use after free in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14399 | Chromium: CVE-2026-14399 Uninitialized Use in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14394 | Chromium: CVE-2026-14394 Use after free in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14398 | Chromium: CVE-2026-14398 Use after free in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14397 | Chromium: CVE-2026-14397 Out of bounds write in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13969 | Chromium: CVE-2026-13969 Uninitialized Use in UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13862 | CVE-2026-13862 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13863 | Chromium: CVE-2026-13863 Insufficient validation of untrusted input in CustomTabs | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13866 | Chromium: CVE-2026-13866 Insufficient validation of untrusted input in Input | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13856 | Chromium: CVE-2026-13856 Insufficient validation of untrusted input in Speech | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13851 | Chromium: CVE-2026-13851 Insufficient validation of untrusted input in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13852 | Chromium: CVE-2026-13852 Insufficient validation of untrusted input in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13850 | Chromium: CVE-2026-13850 Insufficient validation of untrusted input in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13880 | Chromium: CVE-2026-13880 Use after free in USB | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13885 | Chromium: CVE-2026-13885 Use after free in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13887 | Chromium: CVE-2026-13887 Insufficient policy enforcement in NFC | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13872 | Chromium: CVE-2026-13872 Insufficient validation of untrusted input in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13868 | Chromium: CVE-2026-13868 Inappropriate implementation in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13870 | Chromium: CVE-2026-13870 Use after free in WebView | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13878 | Chromium: CVE-2026-13878 Use after free in Bluetooth | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13819 | Chromium: CVE-2026-13819 Out of bounds read in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13822 | Chromium: CVE-2026-13822 Inappropriate implementation in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13826 | Chromium: CVE-2026-13826 Inappropriate implementation in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13825 | Chromium: CVE-2026-13825 Uninitialized Use in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13808 | Chromium: CVE-2026-13808 Insufficient data validation in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13816 | Chromium: CVE-2026-13816 Insufficient validation of untrusted input in File Input | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13813 | Chromium: CVE-2026-13813 Insufficient validation of untrusted input in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13846 | Chromium: CVE-2026-13846 Use after free in USB | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13847 | Chromium: CVE-2026-13847 Insufficient validation of untrusted input in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13792 | Chromium: CVE-2026-13792 Use after free in Touchbar | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13842 | Chromium: CVE-2026-13842 Incorrect security UI in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13827 | Chromium: CVE-2026-13827 Use after free in Updater | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13833 | Chromium: CVE-2026-13833 Uninitialized Use in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13843 | Chromium: CVE-2026-13843 Insufficient validation of untrusted input in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13889 | Chromium: CVE-2026-13889 Insufficient validation of untrusted input in WebAuthentication | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13932 | Chromium: CVE-2026-13932 Inappropriate implementation in Sharing | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13936 | Chromium: CVE-2026-13936 Inappropriate implementation in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13943 | Chromium: CVE-2026-13943 Uninitialized Use in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13929 | Chromium: CVE-2026-13929 Insufficient validation of untrusted input in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13926 | Chromium: CVE-2026-13926 Insufficient validation of untrusted input in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13918 | Chromium: CVE-2026-13918 Use after free in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13924 | Chromium: CVE-2026-13924 Insufficient validation of untrusted input in WebView | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13955 | Chromium: CVE-2026-13955 Insufficient validation of untrusted input in CustomTabs | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13927 | Chromium: CVE-2026-13927 Insufficient validation of untrusted input in UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13964 | Chromium: CVE-2026-13964 Insufficient policy enforcement in WebView | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13949 | Chromium: CVE-2026-13949 Insufficient policy enforcement in Payments | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13939 | Chromium: CVE-2026-13939 Insufficient validation of untrusted input in WebShare | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13944 | Chromium: CVE-2026-13944 Inappropriate implementation in DataTransfer | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13946 | Chromium: CVE-2026-13946 Inappropriate implementation in ScriptInjections | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13914 | Chromium: CVE-2026-13914 Inappropriate implementation in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13907 | Chromium: CVE-2026-13907 Inappropriate implementation in iOSWeb | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13912 | Chromium: CVE-2026-13912 Incorrect security UI in Safe Browsing | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13905 | Chromium: CVE-2026-13905 Incorrect security UI in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13904 | Chromium: CVE-2026-13904 Incorrect security UI in Safe Browsing | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13892 | Chromium: CVE-2026-13892 Inappropriate implementation in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13902 | Chromium: CVE-2026-13902 Inappropriate implementation in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13915 | Chromium: CVE-2026-13915 Use after free in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13917 | Chromium: CVE-2026-13917 Insufficient validation of untrusted input in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13923 | Chromium: CVE-2026-13923 Uninitialized Use in GPU | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13916 | Chromium: CVE-2026-13916 Inappropriate implementation in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13910 | Chromium: CVE-2026-13910 Insufficient policy enforcement in WebXR | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13913 | Chromium: CVE-2026-13913 Insufficient policy enforcement in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13908 | Chromium: CVE-2026-13908 Insufficient validation of untrusted input in Omnibox | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14417 | Chromium: CVE-2026-14417 Use after free in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-58298 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58295 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58294 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-13779 | Chromium: CVE-2026-13779 Use after free in Chromoting | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-58596 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58525 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58524 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58289 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-13776 | Chromium: CVE-2026-13776 Type Confusion in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-58288 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58290 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58293 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58292 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58291 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-13818 | Chromium: CVE-2026-13818 Inappropriate implementation in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13815 | Chromium: CVE-2026-13815 Use after free in Blink | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13811 | Chromium: CVE-2026-13811 Use after free in IME | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13814 | Chromium: CVE-2026-13814 Use after free in Views | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13820 | Chromium: CVE-2026-13820 Out of bounds read in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13821 | Chromium: CVE-2026-13821 Use after free in Canvas | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13817 | Chromium: CVE-2026-13817 Insufficient validation of untrusted input in Glic | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13796 | Chromium: CVE-2026-13796 Integer overflow in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13954 | Chromium: CVE-2026-13954 Insufficient policy enforcement in XML | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-58597 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2026-13799 | Chromium: CVE-2026-13799 Use after free in QUIC | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13810 | Chromium: CVE-2026-13810 Inappropriate implementation in Input | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13806 | Chromium: CVE-2026-13806 Insufficient validation of untrusted input in Accessibility | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13800 | Chromium: CVE-2026-13800 Inappropriate implementation in Updater | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-58287 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57987 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57986 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57985 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57988 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58276 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57992 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57991 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-45489 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Moderate |
| Microsoft Edge (Chromium-based) | CVE-2026-45488 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Moderate |
| Microsoft Edge (Chromium-based) | CVE-2026-14104 | Chromium: CVE-2026-14104 Insufficient validation of untrusted input in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-55945 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | Moderate |
| Microsoft Edge (Chromium-based) | CVE-2026-57984 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57983 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57981 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58282 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58281 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57993 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58283 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58286 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58285 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58284 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-56646 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-56645 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-58278 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57974 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-57977 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-13775 | Chromium: CVE-2026-13775 Use after free in GPU | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-57975 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2026-13823 | Chromium: CVE-2026-13823 Use after free in Glic | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13859 | Chromium: CVE-2026-13859 Inappropriate implementation in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13858 | Chromium: CVE-2026-13858 Out of bounds read in FFmpeg | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13857 | Chromium: CVE-2026-13857 Inappropriate implementation in Geometry | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13854 | Chromium: CVE-2026-13854 Use after free in Ozone | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14431 | Chromium: CVE-2026-14431 Type Confusion in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13864 | Chromium: CVE-2026-13864 Insufficient policy enforcement in WebHID | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13860 | Chromium: CVE-2026-13860 Incorrect security UI in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13804 | Chromium: CVE-2026-13804 Use after free in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13803 | Chromium: CVE-2026-13803 Type Confusion in Chrome Tabs | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13802 | Chromium: CVE-2026-13802 Use after free in Views | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13848 | Chromium: CVE-2026-13848 Use after free in Forms | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13855 | Chromium: CVE-2026-13855 Use after free in Ozone | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13853 | Chromium: CVE-2026-13853 Use after free in Journeys | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13849 | Chromium: CVE-2026-13849 Insufficient validation of untrusted input in Chromoting | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14423 | Chromium: CVE-2026-14423 Type Confusion in Tint | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14421 | Chromium: CVE-2026-14421 Uninitialized Use in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14424 | Chromium: CVE-2026-14424 Use after free in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14422 | Chromium: CVE-2026-14422 Out of bounds read and write in Tint | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14420 | Chromium: CVE-2026-14420 Out of bounds read and write in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14418 | Chromium: CVE-2026-14418 Uninitialized Use in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14419 | Chromium: CVE-2026-14419 Use after free in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14429 | Chromium: CVE-2026-14429 Insufficient validation of untrusted input in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14430 | Chromium: CVE-2026-14430 Integer overflow in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14432 | Chromium: CVE-2026-14432 Use after free in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14428 | Chromium: CVE-2026-14428 Insufficient validation of untrusted input in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14425 | Chromium: CVE-2026-14425 Use after free in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14426 | Chromium: CVE-2026-14426 Use after free in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14427 | Chromium: CVE-2026-14427 Heap buffer overflow in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13801 | Chromium: CVE-2026-13801 Integer overflow in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13837 | Chromium: CVE-2026-13837 Inappropriate implementation in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13835 | Chromium: CVE-2026-13835 Inappropriate implementation in XML | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13836 | Chromium: CVE-2026-13836 Inappropriate implementation in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13838 | Chromium: CVE-2026-13838 Inappropriate implementation in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13841 | Chromium: CVE-2026-13841 Integer overflow in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13840 | Chromium: CVE-2026-13840 Insufficient policy enforcement in Canvas | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13839 | Chromium: CVE-2026-13839 Inappropriate implementation in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13829 | Chromium: CVE-2026-13829 Insufficient validation of untrusted input in Settings | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13828 | Chromium: CVE-2026-13828 Inappropriate implementation in Enterprise | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13824 | Chromium: CVE-2026-13824 Insufficient validation of untrusted input in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13830 | Chromium: CVE-2026-13830 Use after free in Chromoting | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13832 | Chromium: CVE-2026-13832 Use after free in Headless | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13834 | Chromium: CVE-2026-13834 Insufficient validation of untrusted input in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13831 | Chromium: CVE-2026-13831 Use after free in GPU | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13790 | Chromium: CVE-2026-13790 Side-channel information leakage in Scroll | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13787 | Chromium: CVE-2026-13787 Use after free in Chromoting | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13786 | Chromium: CVE-2026-13786 Use after free in Ozone | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13793 | Chromium: CVE-2026-13793 Insufficient policy enforcement in SVG | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13798 | Chromium: CVE-2026-13798 Heap buffer overflow in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13797 | Chromium: CVE-2026-13797 Insufficient validation of untrusted input in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13794 | Chromium: CVE-2026-13794 Insufficient validation of untrusted input in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13780 | Chromium: CVE-2026-13780 Insufficient validation of untrusted input in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13845 | Chromium: CVE-2026-13845 Use after free in DOM | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13844 | Chromium: CVE-2026-13844 Use after free in Updater | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13781 | Chromium: CVE-2026-13781 Insufficient validation of untrusted input in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13784 | Chromium: CVE-2026-13784 Use after free in Views | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13783 | Chromium: CVE-2026-13783 Use after free in Views | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13782 | Chromium: CVE-2026-13782 Use after free in Browser | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14009 | Chromium: CVE-2026-14009 Insufficient data validation in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14010 | Chromium: CVE-2026-14010 Uninitialized Use in Codecs | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14011 | Chromium: CVE-2026-14011 Out of bounds read in SurfaceCapture | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14008 | Chromium: CVE-2026-14008 Uninitialized Use in WebXR | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14004 | Chromium: CVE-2026-14004 Inappropriate implementation in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14006 | Chromium: CVE-2026-14006 Use after free in Navigation | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14007 | Chromium: CVE-2026-14007 Insufficient policy enforcement in PermissionsPolicy | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14018 | Chromium: CVE-2026-14018 Use after free in Updater | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14016 | Chromium: CVE-2026-14016 Insufficient policy enforcement in SVG | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14017 | Chromium: CVE-2026-14017 Inappropriate implementation in Navigation | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14015 | Chromium: CVE-2026-14015 Inappropriate implementation in WebRTC | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14012 | Chromium: CVE-2026-14012 Side-channel information leakage in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14013 | Chromium: CVE-2026-14013 Inappropriate implementation in SVG | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14014 | Chromium: CVE-2026-14014 Inappropriate implementation in Paint | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14003 | Chromium: CVE-2026-14003 Insufficient policy enforcement in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13986 | Chromium: CVE-2026-13986 Inappropriate implementation in Media UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13989 | Chromium: CVE-2026-13989 Insufficient policy enforcement in PageInfo | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13988 | Chromium: CVE-2026-13988 Inappropriate implementation in Paint | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13985 | Chromium: CVE-2026-13985 Inappropriate implementation in MediaCapture | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13979 | Chromium: CVE-2026-13979 Inappropriate implementation in Paint | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13982 | Chromium: CVE-2026-13982 Incorrect security UI in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13984 | Chromium: CVE-2026-13984 Incorrect security UI in TabStrip | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14000 | Chromium: CVE-2026-14000 Inappropriate implementation in XML | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14001 | Chromium: CVE-2026-14001 Inappropriate implementation in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14002 | Chromium: CVE-2026-14002 Inappropriate implementation in Geolocation | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13999 | Chromium: CVE-2026-13999 Inappropriate implementation in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13993 | Chromium: CVE-2026-13993 Incorrect security UI in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13990 | Chromium: CVE-2026-13990 Insufficient validation of untrusted input in DataTransfer | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13996 | Chromium: CVE-2026-13996 Incorrect security UI in Permissions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14019 | Chromium: CVE-2026-14019 Inappropriate implementation in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14041 | Chromium: CVE-2026-14041 Insufficient policy enforcement in Serial | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14043 | Chromium: CVE-2026-14043 Use after free in GetUserMedia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14044 | Chromium: CVE-2026-14044 Use after free in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14042 | Chromium: CVE-2026-14042 Inappropriate implementation in Isolated Web Apps | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14039 | Chromium: CVE-2026-14039 Insufficient policy enforcement in GetUserMedia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14037 | Chromium: CVE-2026-14037 Insufficient policy enforcement in GPU | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14040 | Chromium: CVE-2026-14040 Use after free in BrowserTag | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14049 | Chromium: CVE-2026-14049 Inappropriate implementation in GPU | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14050 | Chromium: CVE-2026-14050 Insufficient policy enforcement in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14051 | Chromium: CVE-2026-14051 Uninitialized Use in GamepadAPI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14048 | Chromium: CVE-2026-14048 Use after free in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14045 | Chromium: CVE-2026-14045 Insufficient validation of untrusted input in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14046 | Chromium: CVE-2026-14046 Inappropriate implementation in CustomTabs | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14047 | Chromium: CVE-2026-14047 Insufficient policy enforcement in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14038 | Chromium: CVE-2026-14038 Insufficient validation of untrusted input in New Tab Page | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14025 | Chromium: CVE-2026-14025 Use after free in Views | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14024 | Chromium: CVE-2026-14024 Use after free in Ozone | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14027 | Chromium: CVE-2026-14027 Use after free in SignIn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14023 | Chromium: CVE-2026-14023 Insufficient validation of untrusted input in SanitizerAPI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14020 | Chromium: CVE-2026-14020 Insufficient validation of untrusted input in WebXR | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14021 | Chromium: CVE-2026-14021 Insufficient validation of untrusted input in StorageAccessAPI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14022 | Chromium: CVE-2026-14022 Insufficient validation of untrusted input in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14033 | Chromium: CVE-2026-14033 Insufficient policy enforcement in Media | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14035 | Chromium: CVE-2026-14035 Insufficient policy enforcement in Bluetooth | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14036 | Chromium: CVE-2026-14036 Insufficient policy enforcement in Bluetooth | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14034 | Chromium: CVE-2026-14034 Inappropriate implementation in WebXR | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14031 | Chromium: CVE-2026-14031 Incorrect security UI in File Input | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14032 | Chromium: CVE-2026-14032 Use after free in Bluetooth | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14030 | Chromium: CVE-2026-14030 Incorrect security UI in SplitView | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13922 | Chromium: CVE-2026-13922 Side-channel information leakage in Paint | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13920 | Chromium: CVE-2026-13920 Insufficient validation of untrusted input in Media | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13919 | Chromium: CVE-2026-13919 Insufficient data validation in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13921 | Chromium: CVE-2026-13921 Insufficient validation of untrusted input in DeviceBoundSessionCredentials | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13906 | Chromium: CVE-2026-13906 Out of bounds read in Codecs | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13909 | Chromium: CVE-2026-13909 Insufficient policy enforcement in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13911 | Chromium: CVE-2026-13911 Insufficient data validation in Spellcheck | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13933 | Chromium: CVE-2026-13933 Insufficient policy enforcement in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13930 | Chromium: CVE-2026-13930 Insufficient policy enforcement in Actor | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13935 | Chromium: CVE-2026-13935 Side-channel information leakage in ComputePressure | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13934 | Chromium: CVE-2026-13934 Insufficient validation of untrusted input in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13925 | Chromium: CVE-2026-13925 Inappropriate implementation in Downloads | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13928 | Chromium: CVE-2026-13928 Insufficient validation of untrusted input in Enterprise | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13931 | Chromium: CVE-2026-13931 Inappropriate implementation in Media | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13903 | Chromium: CVE-2026-13903 Insufficient policy enforcement in Bluetooth | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13891 | Chromium: CVE-2026-13891 Insufficient validation of untrusted input in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13893 | Chromium: CVE-2026-13893 Insufficient validation of untrusted input in WebUI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13894 | Chromium: CVE-2026-13894 Insufficient policy enforcement in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13890 | Chromium: CVE-2026-13890 Out of bounds read in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13886 | Chromium: CVE-2026-13886 Policy bypass in Isolated Web Apps | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13888 | Chromium: CVE-2026-13888 Use after free in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13884 | Chromium: CVE-2026-13884 Heap buffer overflow in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13901 | Chromium: CVE-2026-13901 Insufficient validation of untrusted input in Serial | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13900 | Chromium: CVE-2026-13900 Insufficient validation of untrusted input in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13899 | Chromium: CVE-2026-13899 Use after free in HTML | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13898 | Chromium: CVE-2026-13898 Use after free in Cast Receiver | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13895 | Chromium: CVE-2026-13895 Inappropriate implementation in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13896 | Chromium: CVE-2026-13896 Insufficient policy enforcement in Glic | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13897 | Chromium: CVE-2026-13897 Insufficient policy enforcement in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13937 | Chromium: CVE-2026-13937 Insufficient policy enforcement in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13967 | Chromium: CVE-2026-13967 Type Confusion in V8 | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13966 | Chromium: CVE-2026-13966 Inappropriate implementation in History | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13968 | Chromium: CVE-2026-13968 Insufficient validation of untrusted input in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13965 | Chromium: CVE-2026-13965 Use after free in Oilpan | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13960 | Chromium: CVE-2026-13960 Inappropriate implementation in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13962 | Chromium: CVE-2026-13962 Insufficient data validation in PDF | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13963 | Chromium: CVE-2026-13963 Inappropriate implementation in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13976 | Chromium: CVE-2026-13976 Heap buffer overflow in Storage | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13977 | Chromium: CVE-2026-13977 Inappropriate implementation in HTMLParser | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13978 | Chromium: CVE-2026-13978 Insufficient policy enforcement in PageInfo | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13973 | Chromium: CVE-2026-13973 Inappropriate implementation in UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13970 | Chromium: CVE-2026-13970 Uninitialized Use in Media | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13972 | Chromium: CVE-2026-13972 Inappropriate implementation in Paint | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13971 | Chromium: CVE-2026-13971 Uninitialized Use in Skia | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13959 | Chromium: CVE-2026-13959 Insufficient validation of untrusted input in Blink | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13945 | Chromium: CVE-2026-13945 Insufficient policy enforcement in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13947 | Chromium: CVE-2026-13947 Uninitialized Use in XR | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13948 | Chromium: CVE-2026-13948 Insufficient policy enforcement in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13941 | Chromium: CVE-2026-13941 Inappropriate implementation in SiteSettings | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13938 | Chromium: CVE-2026-13938 Integer overflow in Fonts | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13940 | Chromium: CVE-2026-13940 Uninitialized Use in Cast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13942 | Chromium: CVE-2026-13942 Insufficient validation of untrusted input in Video Capture | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13956 | Chromium: CVE-2026-13956 Incorrect security UI in PageInfo | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13958 | Chromium: CVE-2026-13958 Uninitialized Use in Codecs | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13957 | Chromium: CVE-2026-13957 Incorrect security UI in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13953 | Chromium: CVE-2026-13953 Inappropriate implementation in SplitView | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13950 | Chromium: CVE-2026-13950 Uninitialized Use in GPU | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13951 | Chromium: CVE-2026-13951 Policy bypass in USB | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13952 | Chromium: CVE-2026-13952 Inappropriate implementation in PerformanceAPIs | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14052 | Chromium: CVE-2026-14052 Insufficient policy enforcement in FileSystem | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14138 | Chromium: CVE-2026-14138 Inappropriate implementation in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14144 | Chromium: CVE-2026-14144 Incorrect security UI in Views | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14143 | Chromium: CVE-2026-14143 Incorrect security UI in Passwords | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14135 | Chromium: CVE-2026-14135 Insufficient validation of untrusted input in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14140 | Chromium: CVE-2026-14140 Insufficient validation of untrusted input in Input | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14141 | Chromium: CVE-2026-14141 Incorrect security UI in Document Picture-in-Picture | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14142 | Chromium: CVE-2026-14142 Inappropriate implementation in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14152 | Chromium: CVE-2026-14152 Out of bounds write in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14150 | Chromium: CVE-2026-14150 Insufficient validation of untrusted input in Speech | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14149 | Chromium: CVE-2026-14149 Use after free in Audio | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14147 | Chromium: CVE-2026-14147 Inappropriate implementation in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14145 | Chromium: CVE-2026-14145 Inappropriate implementation in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14146 | Chromium: CVE-2026-14146 Inappropriate implementation in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14148 | Chromium: CVE-2026-14148 Type Confusion in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14139 | Chromium: CVE-2026-14139 Inappropriate implementation in TabStrip | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14124 | Chromium: CVE-2026-14124 Inappropriate implementation in CredentialProvider | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14125 | Chromium: CVE-2026-14125 Uninitialized Use in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14122 | Chromium: CVE-2026-14122 Insufficient validation of untrusted input in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14121 | Chromium: CVE-2026-14121 Use after free in Chromoting | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14119 | Chromium: CVE-2026-14119 Type Confusion in Bluetooth | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14120 | Chromium: CVE-2026-14120 Inappropriate implementation in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14116 | Chromium: CVE-2026-14116 Insufficient validation of untrusted input in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14131 | Chromium: CVE-2026-14131 Insufficient validation of untrusted input in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14132 | Chromium: CVE-2026-14132 Inappropriate implementation in WebXR | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14134 | Chromium: CVE-2026-14134 Inappropriate implementation in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14133 | Chromium: CVE-2026-14133 Race in History Embeddings | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14127 | Chromium: CVE-2026-14127 Inappropriate implementation in Printing | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14129 | Chromium: CVE-2026-14129 Incorrect security UI in PreviewTab | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14130 | Chromium: CVE-2026-14130 Incorrect security UI in Omnibox | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14151 | Chromium: CVE-2026-14151 Inappropriate implementation in AI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13777 | Chromium: CVE-2026-13777 Insufficient validation of untrusted input in iOSWeb | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13778 | Chromium: CVE-2026-13778 Use after free in WebUSB | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13788 | Chromium: CVE-2026-13788 Use after free in Fullscreen | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13861 | Chromium: CVE-2026-13861 Use after free in Core | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13869 | Chromium: CVE-2026-13869 Use after free in Device | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13867 | Chromium: CVE-2026-13867 Inappropriate implementation in Geolocation | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13865 | Chromium: CVE-2026-13865 Insufficient validation of untrusted input in Enterprise | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13807 | Chromium: CVE-2026-13807 Use after free in Import | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13812 | Chromium: CVE-2026-13812 Insufficient validation of untrusted input in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13809 | Chromium: CVE-2026-13809 Side-channel information leakage in Safe Browsing | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13805 | Chromium: CVE-2026-13805 Use after free in GFX | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13791 | Chromium: CVE-2026-13791 Insufficient validation of untrusted input in Downloads | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13795 | Chromium: CVE-2026-13795 Insufficient policy enforcement in Chrome for iOS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13785 | Chromium: CVE-2026-13785 Use after free in Bluetooth | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13871 | Chromium: CVE-2026-13871 Insufficient data validation in GuestView | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13961 | Chromium: CVE-2026-13961 Insufficient validation of untrusted input in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13774 | Chromium: CVE-2026-13774 Use after free in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13881 | Chromium: CVE-2026-13881 Insufficient data validation in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14156 | Chromium: CVE-2026-14156 Policy bypass in StorageAccessAPI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14155 | Chromium: CVE-2026-14155 Insufficient policy enforcement in StorageAccessAPI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14153 | Chromium: CVE-2026-14153 Inappropriate implementation in Glic | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14154 | Chromium: CVE-2026-14154 Inappropriate implementation in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13876 | Chromium: CVE-2026-13876 Inappropriate implementation in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13874 | Chromium: CVE-2026-13874 Inappropriate implementation in DataTransfer | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13873 | Chromium: CVE-2026-13873 Out of bounds memory access in Layout | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13877 | Chromium: CVE-2026-13877 Insufficient validation of untrusted input in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13882 | Chromium: CVE-2026-13882 Inappropriate implementation in USB | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13879 | Chromium: CVE-2026-13879 Use after free in Bluetooth | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13875 | Chromium: CVE-2026-13875 Insufficient validation of untrusted input in GPU | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14077 | Chromium: CVE-2026-14077 Incorrect security UI in Select | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14076 | Chromium: CVE-2026-14076 Policy bypass in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14079 | Chromium: CVE-2026-14079 Policy bypass in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14078 | Chromium: CVE-2026-14078 Policy bypass in WebRTC | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14072 | Chromium: CVE-2026-14072 Incorrect security UI in SplitView | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14070 | Chromium: CVE-2026-14070 Uninitialized Use in WebNN | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14073 | Chromium: CVE-2026-14073 Insufficient policy enforcement in WebXR | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14071 | Chromium: CVE-2026-14071 Side-channel information leakage in WebAudio | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14084 | Chromium: CVE-2026-14084 Insufficient validation of untrusted input in Chromoting | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14083 | Chromium: CVE-2026-14083 Insufficient validation of untrusted input in HTML | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14086 | Chromium: CVE-2026-14086 Insufficient policy enforcement in HID | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14085 | Chromium: CVE-2026-14085 Side-channel information leakage in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14080 | Chromium: CVE-2026-14080 Insufficient validation of untrusted input in TabSwitcher | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14081 | Chromium: CVE-2026-14081 Insufficient policy enforcement in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14074 | Chromium: CVE-2026-14074 Side-channel information leakage in WebAuthentication | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14082 | Chromium: CVE-2026-14082 Race in Storage | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14058 | Chromium: CVE-2026-14058 Policy bypass in Parser | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14057 | Chromium: CVE-2026-14057 Insufficient policy enforcement in FedCM | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14062 | Chromium: CVE-2026-14062 Inappropriate implementation in Views | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14060 | Chromium: CVE-2026-14060 Insufficient validation of untrusted input in Chromoting | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14053 | Chromium: CVE-2026-14053 Insufficient policy enforcement in Extensions | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14055 | Chromium: CVE-2026-14055 Insufficient validation of untrusted input in Device Trust | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14054 | Chromium: CVE-2026-14054 Insufficient policy enforcement in Network | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14056 | Chromium: CVE-2026-14056 Insufficient validation of untrusted input in Media | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14068 | Chromium: CVE-2026-14068 Inappropriate implementation in Omnibox | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14065 | Chromium: CVE-2026-14065 Insufficient validation of untrusted input in PageInfo | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14069 | Chromium: CVE-2026-14069 Integer overflow in WebNN | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14026 | Chromium: CVE-2026-14026 Incorrect security UI in SplitView | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14061 | Chromium: CVE-2026-14061 Inappropriate implementation in Dawn | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14059 | Chromium: CVE-2026-14059 Insufficient policy enforcement in Related-Website-Sets | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14064 | Chromium: CVE-2026-14064 Use after free in PageInfo | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14063 | Chromium: CVE-2026-14063 Out of bounds memory access in Chromecast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14087 | Chromium: CVE-2026-14087 Insufficient validation of untrusted input in WebNN | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14091 | Chromium: CVE-2026-14091 Use after free in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14107 | Chromium: CVE-2026-14107 Use after free in Scheduling | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14108 | Chromium: CVE-2026-14108 Use after free in PDFium | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14106 | Chromium: CVE-2026-14106 Insufficient validation of untrusted input in Text | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14098 | Chromium: CVE-2026-14098 Inappropriate implementation in CSS | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14118 | Chromium: CVE-2026-14118 Insufficient data validation in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14105 | Chromium: CVE-2026-14105 Insufficient policy enforcement in Speech | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14115 | Chromium: CVE-2026-14115 Insufficient validation of untrusted input in Cast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14112 | Chromium: CVE-2026-14112 Inappropriate implementation in Enterprise | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14117 | Chromium: CVE-2026-14117 Insufficient validation of untrusted input in DevTools | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14113 | Chromium: CVE-2026-14113 Use after free in Updater | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14109 | Chromium: CVE-2026-14109 Insufficient policy enforcement in Mojo | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14110 | Chromium: CVE-2026-14110 Inappropriate implementation in DarkMode | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14111 | Chromium: CVE-2026-14111 Use after free in WebProtect | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14093 | Chromium: CVE-2026-14093 Use after free in Cast | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14095 | Chromium: CVE-2026-14095 Insufficient validation of untrusted input in Browser | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14097 | Chromium: CVE-2026-14097 Inappropriate implementation in WebAppInstalls | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14094 | Chromium: CVE-2026-14094 Use after free in Installer | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14088 | Chromium: CVE-2026-14088 Uninitialized Use in Canvas | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14089 | Chromium: CVE-2026-14089 Insufficient validation of untrusted input in PopupBlocker | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14092 | Chromium: CVE-2026-14092 Insufficient policy enforcement in Privacy | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14090 | Chromium: CVE-2026-14090 Out of bounds read in CameraCapture | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14100 | Chromium: CVE-2026-14100 Insufficient data validation in NetworkCache | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14103 | Chromium: CVE-2026-14103 Use after free in SSL | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-13883 | Chromium: CVE-2026-13883 Type Confusion in ANGLE | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2026-14102 | Chromium: CVE-2026-14102 Use after free in Passwords | Unknown |
| Microsoft Edge for Android | CVE-2026-58299 | Microsoft Edge for Android Remote Code Execution Vulnerability | Important |
| Microsoft Edge for Android | CVE-2026-58523 | Microsoft Edge for Android Security Feature Bypass Vulnerability | Important |
| Microsoft Edge for Android | CVE-2026-58300 | Microsoft Edge for Android Information Disclosure Vulnerability | Important |
| Microsoft Edge for Android | CVE-2026-58296 | Microsoft Edge for Android Information Disclosure Vulnerability | Important |
| Microsoft Edge for Android | CVE-2026-58297 | Microsoft Edge for Android Information Disclosure Vulnerability | Important |
| Microsoft Edge for Android | CVE-2026-58522 | Microsoft Edge for Android Information Disclosure Vulnerability | Important |
| Microsoft Entra Provisioning Service (SyncFabric) | CVE-2026-57100 | Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability | Critical |
| Microsoft Exchange Online | CVE-2026-54998 | Microsoft Exchange Online Elevation of Privilege Vulnerability | Critical |
| Microsoft Exchange Server | CVE-2026-55006 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Important |
| Microsoft Exchange Server | CVE-2026-55005 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
| Microsoft Exchange Server | CVE-2026-55008 | Microsoft Exchange Server Spoofing Vulnerability | Critical |
| Microsoft Exchange Server | CVE-2026-55009 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Important |
| Microsoft Fabric Data Warehouse | CVE-2026-56642 | Microsoft Fabric Data Warehouse Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2026-58609 | Windows Graphics Component Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2026-50483 | Windows Graphics Component Information Disclosure Vulnerability | Important |
| Microsoft Input Method Editor (IME) | CVE-2026-58534 | Windows Input Method Editor (IME) Elevation of Privilege Vulnerability | Important |
| Microsoft Install Service | CVE-2026-50343 | Microsoft Install Service Elevation of Privilege Vulnerability | Important |
| Microsoft NAT Helper Components (ipnathlp.dll) | CVE-2026-58537 | Microsoft NAT Helper Components (ipnathlp.dll) Elevation of Privilege Vulnerability | Important |
| Microsoft Office | CVE-2026-55047 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55028 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55026 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55027 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55129 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-55035 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55049 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-55045 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-55125 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2026-50301 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2026-50314 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-56193 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-47290 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2026-50467 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-55022 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-55023 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55017 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2026-55018 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-50665 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55140 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-55121 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-56192 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-56195 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55139 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55042 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office | CVE-2026-55056 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-55057 | Microsoft Office Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55949 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55024 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-50408 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55947 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55898 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-58618 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-50678 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-54988 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55039 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-50675 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-47642 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-48580 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55899 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55948 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-54131 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55041 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55138 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55137 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55058 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55136 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55054 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55036 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55141 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55037 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55025 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55031 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55046 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55044 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55048 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55122 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55053 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55131 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-55029 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2026-56156 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office OneNote | CVE-2026-55133 | Microsoft OneNote Remote Code Execution Vulnerability | Important |
| Microsoft Office PowerPoint | CVE-2026-55120 | Microsoft PowerPoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office PowerPoint | CVE-2026-55043 | Microsoft PowerPoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office PowerPoint | CVE-2026-55123 | Microsoft PowerPoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2026-56157 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-55126 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-55051 | Microsoft SharePoint Server Information Disclosure Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-55040 | Microsoft SharePoint Server Security Feature Bypass Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2026-56164 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Moderate |
| Microsoft Office SharePoint | CVE-2026-55052 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-55135 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-58644 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2026-54108 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-55021 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-55020 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-58277 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-55030 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-50522 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2026-55034 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-55019 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2026-55016 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55055 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55142 | Microsoft Word Information Disclosure Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55130 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55128 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55032 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55038 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55127 | Microsoft Word Remote Code Execution Vulnerability | Critical |
| Microsoft Office Word | CVE-2026-55033 | Microsoft Word Remote Code Execution Vulnerability | Critical |
| Microsoft Office Word | CVE-2026-55124 | Microsoft Word Information Disclosure Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55050 | Microsoft Word Information Disclosure Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55134 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office Word | CVE-2026-55132 | Microsoft Word Remote Code Execution Vulnerability | Critical |
| Microsoft Printer Drivers | CVE-2026-49166 | Windows Print Configuration Elevation of Privilege Vulnerability | Important |
| Microsoft Printer Drivers | CVE-2026-55004 | Windows Print Configuration Elevation of Privilege Vulnerability | Important |
| Microsoft Surface | CVE-2026-48581 | Surface Broker SDMA Elevation of Privilege Vulnerability | Important |
| Microsoft Windows | CVE-2026-50476 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows App Store | CVE-2026-49165 | Microsoft Windows App Store Information Disclosure Vulnerability | Important |
| Microsoft Windows App Store | CVE-2026-49784 | Microsoft Windows App Store Elevation of Privilege Vulnerability | Important |
| Microsoft Windows App Store | CVE-2026-50356 | Microsoft Windows App Store Elevation of Privilege Vulnerability | Important |
| Microsoft Windows App Store | CVE-2026-42900 | Microsoft Windows App Store Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2026-57083 | Windows Media Photo Codec Information Disclosure Vulnerability | Important |
| Microsoft Windows Media Foundation | CVE-2026-56189 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Media Foundation | CVE-2026-57087 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Media Foundation | CVE-2026-57094 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Media Foundation | CVE-2026-57090 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | Critical |
| Microsoft Windows Media Foundation | CVE-2026-58610 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | Important |
| Microsoft Windows Media Foundation | CVE-2026-54993 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2026-50373 | Windows Search Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Search Component | CVE-2026-50679 | Windows Search Service Elevation of Privilege Vulnerability | Important |
| Microsoft Windows Speech | CVE-2026-49171 | Windows Speech Runtime Elevation of Privilege Vulnerability | Important |
| Microsoft XML | CVE-2026-57097 | Microsoft XML Security Feature Bypass Vulnerability | Important |
| Microsoft XML Core Services | CVE-2026-50359 | Microsoft XML Core Services Elevation of Privilege Vulnerability | Important |
| Minecraft Bedrock Dedicated Server | CVE-2026-55010 | Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability | Critical |
| Outlook Copilot | CVE-2026-55145 | Outlook Copilot Tampering Vulnerability | Moderate |
| Power BI | CVE-2026-58647 | Microsoft PowerBI Report Server Spoofing Vulnerability | Important |
| Quality Windows Audio/Video Experience (QWAVE) service | CVE-2026-54989 | Quality Windows Audio/Video Experience (QWAVE) Elevation of Privilege Vulnerability | Important |
| Reliable Multicast Transport Driver (RMCAST) | CVE-2026-54995 | Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability | Critical |
| Reliable Multicast Transport Driver (RMCAST) | CVE-2026-54982 | Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability | Critical |
| Remote Desktop Client | CVE-2026-50474 | Remote Desktop Client Remote Code Execution Vulnerability | Critical |
| Remote Desktop Client | CVE-2026-54990 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
| Remote Desktop Client | CVE-2026-50330 | Windows Remote Desktop Client Elevation of Privilege Vulnerability | Important |
| Remote Desktop Client | CVE-2026-50504 | Windows Remote Desktop Client Information Disclosure Vulnerability | Important |
| Role: DNS Server | CVE-2026-50426 | Windows DNS Server Remote Code Execution Vulnerability | Important |
| Role: DNS Server | CVE-2026-49169 | Windows DNS Server Remote Code Execution Vulnerability | Important |
| RPC Runtime | CVE-2026-50346 | Netlogon RPC Elevation of Privilege Vulnerability | Important |
| SQL Server | CVE-2026-54118 | Microsoft SQL Server Remote Code Execution Vulnerability | Critical |
| SQL Server | CVE-2026-47296 | Microsoft SQL Server Elevation of Privilege Vulnerability | Important |
| SQL Server | CVE-2026-54116 | Microsoft SQL Server Information Disclosure Vulnerability | Important |
| SQL Server | CVE-2026-47295 | Microsoft SQL Server Elevation of Privilege Vulnerability | Important |
| SQL Server | CVE-2026-55002 | Microsoft SQL Server Elevation of Privilege Vulnerability | Important |
| SQL Server | CVE-2026-50468 | Microsoft SQL Server Information Disclosure Vulnerability | Important |
| SQL Server | CVE-2026-54117 | Microsoft SQL Server Remote Code Execution Vulnerability | Critical |
| SQL Server ODBC driver | CVE-2026-42990 | SQL Server ODBC driver Elevation of Privilege Vulnerability | Important |
| Universal Plug and Play (upnp.dll) | CVE-2026-49180 | Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability | Important |
| Universal Plug and Play (upnp.dll) | CVE-2026-58547 | Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability | Important |
| Universal Plug and Play (upnp.dll) | CVE-2026-50455 | Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability | Important |
| Virtual Hard Disk (VHD) Miniport Driver | CVE-2026-58601 | Virtual Hard Disk (VHD) Miniport Driver Elevation of Privilege Vulernability | Important |
| Visual Studio | CVE-2026-47305 | Visual Studio Remote Code Execution Vulnerability | Important |
| Visual Studio Code | CVE-2026-50520 | Visual Studio Code Remote Code Execution Vulnerability | Important |
| Visual Studio Code | CVE-2026-45496 | Visual Studio Code Security Feature Bypass Vulnerability | Important |
| Visual Studio Code | CVE-2026-57102 | Visual Studio Code Security Feature Bypass Vulnerability | Important |
| Visual Studio Code | CVE-2026-57101 | Visual Studio Code Security Feature Bypass Vulnerability | Important |
| Window PC Manager | CVE-2026-50438 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important |
| Window PC Manager | CVE-2026-58636 | Microsoft PC Manager Elevation of Privilege Vulnerability | Important |
| Windows Active Directory | CVE-2026-55001 | Active Directory Domain Services Elevation of Privilege Vulnerability | Important |
| Windows Active Directory | CVE-2026-50682 | Active Directory Denial of Service Vulnerability | Important |
| Windows Active Directory | CVE-2026-54119 | Windows Active Directory Denial of Service Vulnerability | Important |
| Windows Active Directory | CVE-2026-54115 | Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability | Important |
| Windows Admin Center | CVE-2026-57107 | Windows Admin Center Elevation of Privilege Vulnerability | Important |
| Windows Admin Center | CVE-2026-58631 | Windows Admin Center (WAC) Remote Code Execution Vulnerability | Important |
| Windows Admin Center | CVE-2026-56169 | Windows Admin Center Elevation of Privilege Vulnerability | Important |
| Windows Admin Center | CVE-2026-56185 | Windows Admin Center Information Disclosure Vulnerability | Important |
| Windows Admin Center | CVE-2026-56196 | Windows Admin Center (WAC) Remote Code Execution Vulnerability | Important |
| Windows Admin Center | CVE-2026-56197 | Windows Admin Center (WAC) Remote Code Execution Vulnerability | Important |
| Windows Ancillary Function Driver for WinSock | CVE-2026-57093 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| Windows Ancillary Function Driver for WinSock | CVE-2026-50312 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| Windows Ancillary Function Driver for WinSock | CVE-2026-34346 | Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability | Important |
| Windows Ancillary Function Driver for WinSock | CVE-2026-50462 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| Windows App Installer | CVE-2026-48571 | Windows App Package Installer Elevation of Privilege Vulnerability | Important |
| Windows App Installer | CVE-2026-48572 | Windows App Package Installer Elevation of Privilege Vulnerability | Important |
| Windows App Installer | CVE-2026-50400 | Windows App Package Installer Elevation of Privilege Vulnerability | Important |
| Windows Application Model | CVE-2026-50331 | Windows Application Model Core API Elevation of Privilege Vulnerability | Important |
| Windows AppX Deployment Service | CVE-2026-49803 | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | Important |
| Windows Audio Compression Manager (ACM) | CVE-2026-50351 | Windows Audio Compression Manager (ACM) Elevation of Privilege Vulnerability | Important |
| Windows Audio Service | CVE-2026-34328 | Windows Audio Service Information Disclosure Vulnerability | Important |
| Windows Audio Service | CVE-2026-50440 | Windows Audio Service Elevation of Privilege Vulnerability | Important |
| Windows Backup Engine | CVE-2026-50406 | Windows Backup Engine Elevation of Privilege Vulnerability | Important |
| Windows BitLocker | CVE-2026-50661 | Windows BitLocker Security Feature Bypass Vulnerability | Important |
| Windows Bluetooth Port Driver | CVE-2026-42975 | Windows Bluetooth Port Driver Remote Code Execution | Important |
| Windows Bluetooth Service | CVE-2026-58538 | Windows Bluetooth Service Elevation of Privilege Vulnerability | Important |
| Windows Boot Loader | CVE-2026-58638 | Windows Boot Loader Security Feature Bypass Vulnerability | Important |
| Windows Brokering File System | CVE-2026-50466 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important |
| Windows Brokering File System | CVE-2026-49162 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important |
| Windows Brokering File System | CVE-2026-50305 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important |
| Windows Brokering File System | CVE-2026-50361 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important |
| Windows Brokering File System | CVE-2026-50458 | Microsoft Brokering File System Elevation of Privilege Vulnerability | Important |
| Windows Client-Side Caching (CSC) Service | CVE-2026-58637 | Windows Client-Side Caching Elevation of Privilege Vulnerability | Important |
| Windows Clip Service | CVE-2026-50384 | Windows Clip Service Elevation of Privilege Vulnerability | Important |
| Windows Clipboard Server | CVE-2026-50689 | Windows Clipboard Server Elevation of Privilege Vulnerability | Important |
| Windows Clipboard Server | CVE-2026-49183 | Windows Clipboard Server Elevation of Privilege Vulnerability | Important |
| Windows Clipboard User Service | CVE-2026-50488 | Clipboard User Service Elevation of Privilege Vulnerability | Important |
| Windows Cloud Files Mini Filter Driver | CVE-2026-50374 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Windows Cloud Files Mini Filter Driver | CVE-2026-50401 | Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability | Important |
| Windows Cloud Files Mini Filter Driver | CVE-2026-58613 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Windows Cloud Files Mini Filter Driver | CVE-2026-58536 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2026-50697 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Connected User Experiences and Telemetry | CVE-2026-50421 | Windows Connected User Experiences and Telemetry Elevation of Privilege Vulnerability | Important |
| Windows Container Isolation FS Filter Driver (unionfs.sys) | CVE-2026-50428 | Windows Container Isolation FS Filter Driver (unionfs.sys) Information Disclosure Vulnerability | Important |
| Windows CryptoAPI | CVE-2026-55144 | Windows Cryptography API: Next Generation (CNG) Tampering Vulnerability | Important |
| Windows Cryptographic Services | CVE-2026-50681 | Windows Secure Channel Information Disclosure Vulnerability | Important |
| Windows Cryptographic Services | CVE-2026-44806 | Windows Secure Channel Denial of Service Vulnerability | Important |
| Windows Cryptographic Services | CVE-2026-50302 | Windows Cryptographic Services Security Feature Bypass Vulnerability | Important |
| Windows Cryptographic Services | CVE-2026-50352 | Windows Cryptographic Services Information Disclosure Vulnerability | Important |
| Windows Data.dll | CVE-2026-50347 | Windows Data.dll Remote Code Execution Vulnerability | Important |
| Windows Devices Human Interface | CVE-2026-50310 | Windows Human Interface Device Information Disclosure Vulnerability | Important |
| Windows DHCP Client | CVE-2026-54128 | Windows DHCP Client Remote Code Execution Vulnerability | Critical |
| Windows DHCP Client | CVE-2026-49181 | Windows DHCP Client Elevation of Privilege Vulnerability | Important |
| Windows DHCP Server | CVE-2026-50518 | Windows DHCP Server Remote Code Execution Vulnerability | Critical |
| Windows DHCP Server | CVE-2026-50370 | DHCP Server Service Remote Code Execution Vulnerability | Critical |
| Windows DHCP Server | CVE-2026-50683 | Windows DHCP Client Elevation of Privilege Vulnerability | Important |
| Windows DHCP Server | CVE-2026-50685 | Windows DHCP Server Remote Code Execution Vulnerability | Important |
| Windows DHCP Server | CVE-2026-58627 | Windows DHCP Server Denial of Service Vulnerability | Important |
| Windows DHCP Server | CVE-2026-56159 | DHCP Server Service Remote Code Execution Vulnerability | Critical |
| Windows DHCP Server | CVE-2026-48564 | DHCP Server Service Remote Code Execution Vulnerability | Critical |
| Windows DirectX | CVE-2026-50353 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important |
| Windows DirectX | CVE-2026-50382 | DirectX Graphics Kernel Remote Code Execution Vulnerability | Critical |
| Windows DirectX | CVE-2026-49807 | Windows DirectX Information Disclosure Vulnerability | Important |
| Windows DirectX | CVE-2026-58629 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important |
| Windows DirectX | CVE-2026-50375 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important |
| Windows DNS | CVE-2026-50465 | Windows DNS Client Tampering Vulnerability | Important |
| Windows DNS | CVE-2026-50487 | Windows DNS Client Elevation of Privilege Vulnerability | Important |
| Windows DNS | CVE-2026-50495 | DNS Client Tampering Vulnerability | Important |
| Windows DNS | CVE-2026-49174 | DNS Client Tampering Vulnerability | Important |
| Windows DNS | CVE-2026-50295 | Windows Zero Trust DNS Security Feature Bypass Vulnerability | Important |
| Windows DNS | CVE-2026-49175 | Windows DNS Client Elevation of Privilege Vulnerability | Important |
| Windows Domain Controller | CVE-2026-50424 | Windows Domain Controller Denial of Service Vulnerability | Important |
| Windows DWM | CVE-2026-58541 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important |
| Windows DWM Core Library | CVE-2026-50437 | Windows DWM Core Library Information Disclosure Vulnerability | Important |
| Windows Event Logging Service | CVE-2026-50502 | Windows Event Logging Service Remote Code Execution Vulnerability | Important |
| Windows Event Logging Service | CVE-2026-34348 | Windows Event Logging Service Information Disclosure Vulnerability | Important |
| Windows File Explorer | CVE-2026-33842 | Windows File Explorer Information Disclosure Vulnerability | Important |
| Windows File Explorer | CVE-2026-50389 | Windows File Explorer Information Disclosure Vulnerability | Important |
| Windows File Explorer | CVE-2026-57084 | Windows File Explorer Information Disclosure Vulnerability | Important |
| Windows File Explorer | CVE-2026-41087 | Windows File Explorer Information Disclosure Vulnerability | Important |
| Windows File Explorer | CVE-2026-50442 | Windows File Explorer Information Disclosure Vulnerability | Important |
| Windows File Explorer | CVE-2026-50456 | Windows File Explorer Information Disclosure Vulnerability | Important |
| Windows File Explorer | CVE-2026-50473 | Windows File Explorer Information Disclosure Vulnerability | Important |
| Windows File Explorer | CVE-2026-40422 | Windows File Explorer Information Disclosure Vulnerability | Important |
| Windows File History Service | CVE-2026-57091 | Windows File History Service Elevation of Privilege Vulnerability | Important |
| Windows Filtering Platform (WFP) | CVE-2026-50405 | Windows Filtering Platform Elevation of Privilege Vulnerability | Important |
| Windows FTP Service | CVE-2026-49172 | Windows FTP Service Remote Code Execution Vulnerability | Important |
| Windows GDI | CVE-2026-50387 | Windows GDI Elevation of Privilege Vulnerability | Important |
| Windows GDI+ | CVE-2026-49796 | Windows GDI+ Remote Code Execution Vulnerability | Critical |
| Windows GDI+ | CVE-2026-54122 | Windows GDI+ Remote Code Execution Vulnerability | Important |
| Windows GDI+ | CVE-2026-50380 | Windows GDI+ Remote Code Execution Vulnerability | Critical |
| Windows Graphics Kernel | CVE-2026-50296 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important |
| Windows Graphics Kernel | CVE-2026-50493 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important |
| Windows Group Policy | CVE-2026-50391 | Windows Group Policy Elevation of Privilege Vulnerability | Important |
| Windows HTTP.sys | CVE-2026-50420 | HTTP.sys Information Disclosure Vulnerability | Important |
| Windows HTTP.sys | CVE-2026-49787 | HTTP.sys Denial of Service Vulnerability | Important |
| Windows Hyper-V | CVE-2026-50485 | Windows Hyper-V Denial of Service Vulnerability | Important |
| Windows Hyper-V | CVE-2026-54129 | Windows Hyper-V Elevation of Privilege Vulnerability | Important |
| Windows Hyper-V | CVE-2026-50680 | Windows Hyper-V Elevation of Privilege Vulnerability | Critical |
| Windows Hyper-V | CVE-2026-54127 | Windows Hyper-V Elevation of Privilege Vulnerability | Critical |
| Windows Image Acquisition | CVE-2026-50315 | Windows Image Acquisition Elevation of Privilege Vulnerability | Important |
| Windows Installer | CVE-2026-50490 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows Installer | CVE-2026-58540 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows Internal System User Profile | CVE-2026-50425 | Windows Internal System User Profile Elevation of Privilege Vulnerability | Important |
| Windows Internal Task Bar | CVE-2026-50293 | Windows Internal Task Bar Elevation of Privilege Vulnerability | Important |
| Windows Internet Key Exchange (IKE) Protocol | CVE-2026-50696 | Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability | Important |
| Windows Kernel | CVE-2026-50688 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-58545 | Windows Kernel Security Feature Bypass Vulnerability | Important |
| Windows Kernel | CVE-2026-56644 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-56643 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50377 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50329 | Microsoft DWM Core Library Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-49173 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50475 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2026-50463 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2026-50354 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50419 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2026-50429 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2026-50423 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50316 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2026-50687 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50294 | Windows Kernel Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2026-50399 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50390 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50673 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50436 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50397 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-58532 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-49798 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-54132 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-49795 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-58614 | Windows Kernel Security Feature Bypass Vulnerability | Important |
| Windows Kernel | CVE-2026-49167 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50478 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50332 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50670 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50459 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50477 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-50300 | Windows DWM Core Library Information Disclosure Vulnerability | Important |
| Windows Kernel | CVE-2026-50484 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2026-49808 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel Mode Driver | CVE-2026-58602 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important |
| Windows Kernel-Mode Drivers | CVE-2026-50393 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important |
| Windows Kernel-Mode Drivers | CVE-2026-50396 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important |
| Windows Key Guard | CVE-2026-50378 | Windows Key Guard Elevation of Privilege Vulnerability | Important |
| Windows Key Guard | CVE-2026-50303 | Windows Key Guard Security Feature Bypass Vulnerability | Important |
| Windows Local Security Authority Subsystem Service (LSASS) | CVE-2026-40378 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | Important |
| Windows Local Security Authority Subsystem Service (LSASS) | CVE-2026-49799 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | Important |
| Windows LUAFV | CVE-2026-50371 | Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability | Important |
| Windows Management Services | CVE-2026-58544 | Windows Management Services Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2026-34349 | Windows Media Information Disclosure Vulnerability | Important |
| Windows Media | CVE-2026-50379 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2026-58542 | Windows Media Remote Code Execution Vulnerability | Critical |
| Windows Media | CVE-2026-50677 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2026-50358 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2026-50676 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2026-50327 | Windows Media Remote Code Execution Vulnerability | Critical |
| Windows Media | CVE-2026-50404 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2026-50655 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | Critical |
| Windows Media | CVE-2026-50415 | Windows Media Information Disclosure Vulnerability | Important |
| Windows Media | CVE-2026-50414 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2026-50433 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2026-50394 | Windows Media Information Disclosure Vulnerability | Important |
| Windows Media | CVE-2026-50336 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2026-50398 | Windows Media Elevation of Privilege Vulnerability | Important |
| Windows Message Queuing | CVE-2026-50447 | Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability | Important |
| Windows Message Queuing | CVE-2026-50505 | Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability | Important |
| Windows Message Queuing Queue Manager | CVE-2026-50439 | Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability | Important |
| Windows Message Queuing Queue Manager | CVE-2026-54992 | Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability | Critical |
| Windows MIDI Service Module | CVE-2026-56183 | Windows MIDI Service Module Elevation of Privileges Vulnerability | Important |
| Windows MIDI Service Module | CVE-2026-50342 | Windows MIDI Service Module Elevation of Privileges Vulnerability | Important |
| Windows MIDI Service Module | CVE-2026-56187 | Windows MIDI Service Module Elevation of Privileges Vulnerability | Important |
| Windows Narrator Braille | CVE-2026-58635 | Windows Narrator Braille Elevation of Privilege Vulnerability | Important |
| Windows Netlogon | CVE-2026-50500 | Windows Netlogon Elevation of Privilege Vulnerability | Important |
| Windows Network Address Translation (NAT) | CVE-2026-56181 | Windows Network Address Translation (NAT) Spoofing Vulnerability | Moderate |
| Windows Network File System | CVE-2026-56650 | Windows Network File System Elevation of Privilege Vulnerability | Important |
| Windows Network File System | CVE-2026-56648 | Windows NFS Server Elevation of Privilege Vulnerability | Important |
| Windows Network File System | CVE-2026-56194 | Windows NFS Server Elevation of Privilege Vulnerability | Important |
| Windows Network File System | CVE-2026-56649 | Windows Network File System Remote Code Execution Vulnerability | Important |
| Windows Network Policy Server SNMP | CVE-2026-50496 | Windows Network Policy Server SNMP Information Disclosure Vulnerability | Important |
| Windows Network Policy Server SNMP | CVE-2026-50470 | Windows Network Policy Server SNMP Information Disclosure Vulnerability | Important |
| Windows Notification | CVE-2026-50337 | Windows Notification Elevation of Privilege Vulnerability | Important |
| Windows Notification | CVE-2026-50334 | Windows Push Notification Information Disclosure Vulnerability | Important |
| Windows NTFS | CVE-2026-50422 | Windows NTFS Elevation of Privilege Vulnerability | Important |
| Windows NTFS | CVE-2026-50341 | Windows NTFS Information Disclosure Vulnerability | Important |
| Windows NTFS | CVE-2026-50308 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-50471 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-50402 | NTFS Elevation of Privilege Vulnerability | Important |
| Windows NTFS | CVE-2026-50388 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-50313 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-50417 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-50309 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-56175 | Windows NTFS Elevation of Privilege Vulnerability | Important |
| Windows NTFS | CVE-2026-50494 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-56182 | Windows NTFS Elevation of Privilege Vulnerability | Important |
| Windows NTFS | CVE-2026-50482 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-58640 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-50386 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-50672 | Windows NTFS Elevation of Privilege Vulnerability | Important |
| Windows NTFS | CVE-2026-50668 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | Important |
| Windows NTFS | CVE-2026-49789 | Windows NTFS Elevation of Privilege Vulnerability | Important |
| Windows NTFS | CVE-2026-49797 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-50448 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-49184 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows NTFS | CVE-2026-50412 | Windows NTFS Elevation of Privilege Vulnerability | Important |
| Windows NTFS | CVE-2026-50667 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows NTFS | CVE-2026-50461 | Windows NTFS Remote Code Execution Vulnerability | Important |
| Windows OLE | CVE-2026-50686 | Windows OLE Remote Code Execution Vulnerability | Important |
| Windows OLE | CVE-2026-50344 | Windows OLE Elevation of Privilege Vulnerability | Important |
| Windows Operating Systems | CVE-2026-50317 | Windows Operating Systems Elevation of Privilege Vulnerability | Important |
| Windows Operating Systems | CVE-2026-50335 | Windows Operating Systems Elevation of Privilege Vulnerability | Important |
| Windows Overlay Filter | CVE-2026-54987 | Windows Overlay Filter Elevation of Privilege Vulnerability | Important |
| Windows Overlay Filter | CVE-2026-50435 | Windows Overlay Filter Elevation of Privilege Vulnerability | Important |
| Windows Overlay Filter | CVE-2026-50409 | Windows Overlay Filter Information Disclosure Vulnerability | Important |
| Windows PowerShell | CVE-2026-40400 | Windows PowerShell Remote Code Execution Vulnerability | Important |
| Windows Print Spooler Components | CVE-2026-57085 | Windows Print Spooler Information Disclosure Vulnerability | Important |
| Windows Print Spooler Components | CVE-2026-50499 | Windows Print Spooler Elevation of Privilege Vulnerability | Important |
| Windows Print Spooler Components | CVE-2026-50383 | Windows Print Spooler Information Disclosure Vulnerability | Important |
| Windows Print Spooler Components | CVE-2026-58608 | Windows Print Spooler Remote Code Execution Vulnerability | Critical |
| Windows Projected File System | CVE-2026-50469 | Windows Projected File System Elevation of Privilege Vulnerability | Important |
| Windows Push Notifications | CVE-2026-50430 | Windows Push Notification Information Disclosure Vulnerability | Important |
| Windows Push Notifications | CVE-2026-44800 | Windows Push Notifications Elevation of Privilege Vulnerability | Important |
| Windows Push Notifications | CVE-2026-50434 | Windows Push Notification Information Disclosure Vulnerability | Important |
| Windows Push Notifications | CVE-2026-50339 | Windows Push Notification Information Disclosure Vulnerability | Important |
| Windows Push Notifications | CVE-2026-50363 | Windows Push Notifications Elevation of Privilege Vulnerability | Important |
| Windows Quality of Service (QoS) Packet Scheduler | CVE-2026-50431 | Windows Quality of Service (QoS) Packet Scheduler Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-57982 | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-57979 | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-56190 | Remote Desktop Protocol Remote Code Execution Vulnerability | Important |
| Windows RDP | CVE-2026-58594 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
| Windows RDP | CVE-2026-55003 | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-58546 | Windows Remote Desktop Client Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-58533 | Windows Remote Desktop Client Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-58535 | Windows Remote Desktop Client Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-50376 | Windows Remote Desktop Client Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-58539 | Windows Remote Desktop Client Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-50445 | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | Important |
| Windows RDP | CVE-2026-54126 | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | Important |
| Windows Redirected Drive Buffering | CVE-2026-50372 | Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability | Important |
| Windows Remote Access Connection Manager | CVE-2026-50666 | Windows Remote Access Elevation of Privilege Vulnerability | Important |
| Windows Remote Access Service Infrastructure | CVE-2026-56647 | Windows Remote Access Service Infrastructure Elevation of Privilege Vulnerability | Important |
| Windows Remote Desktop Protocol | CVE-2026-50497 | Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability | Important |
| Windows Remote Desktop Services | CVE-2026-58626 | Windows Remote Desktop Services Remote Code Execution Vulnerability | Important |
| Windows Remote Desktop Services | CVE-2026-50369 | Windows Remote Desktop Services Elevation of Privilege Vulnerability | Important |
| Windows Remote Help Defense | CVE-2026-55014 | Windows Remote Help Defense Elevation of Privilege Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-50492 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-50501 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-50357 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-58530 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-50318 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-49792 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-49793 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-50362 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-54109 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-50407 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | Important |
| Windows Resilient File System (ReFS) | CVE-2026-50441 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2026-57096 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2026-50451 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2026-49791 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability | Important |
| Windows RPC API | CVE-2026-50365 | Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-54125 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50323 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50449 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50460 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50403 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50410 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50340 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50322 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50345 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50452 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50486 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50503 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50457 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50385 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50413 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-50348 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Runtime | CVE-2026-58527 | Windows Runtime Elevation of Privilege Vulnerability | Important |
| Windows Schannel | CVE-2026-56186 | Windows Secure Channel Information Disclosure Vulnerability | Important |
| Windows Secure Boot | CVE-2026-49783 | Secure Boot Security Feature Bypass Vulnerability | Important |
| Windows Secure Kernel Mode | CVE-2026-50392 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability | Critical |
| Windows Secure Kernel Mode | CVE-2026-42982 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability | Critical |
| Windows Secure Socket Tunneling Protocol (SSTP) | CVE-2026-50694 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Critical |
| Windows Sensor Data Service | CVE-2026-58619 | Windows Sensor Data Service Elevation of Privilege Vulnerability | Important |
| Windows Sensor Data Service | CVE-2026-50367 | Windows Sensor Data Service Elevation of Privilege Vulnerability | Important |
| Windows Server | CVE-2026-50311 | Windows Server Elevation of Privilege Vulnerability | Important |
| Windows Server Backup | CVE-2026-50364 | Windows Backup Service Elevation of Privilege Vulnerability | Important |
| Windows Server Network driver | CVE-2026-56188 | Windows Server Network driver Remote Code Execution Vulnerability | Critical |
| Windows Server Update Service | CVE-2026-50328 | Windows Server Update Service (WSUS) Tampering Vulnerability | Important |
| Windows Server Update Service | CVE-2026-50444 | Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability | Critical |
| Windows SMB | CVE-2026-50690 | Windows SMB Information Disclosure Vulnerability | Important |
| Windows SMB | CVE-2026-58531 | Windows SMB Elevation of Privilege Vulnerability | Important |
| Windows SMB | CVE-2026-54997 | Windows SMB Information Disclosure Vulnerability | Important |
| Windows SMB | CVE-2026-49801 | Windows SMB Information Disclosure Vulnerability | Important |
| Windows SMB Server | CVE-2026-56168 | Windows SMB Server Denial of Service Vulnerability | Important |
| Windows SMB Server | CVE-2026-50360 | Windows SMB Server Elevation of Privilege Vulnerability | Important |
| Windows SMB Server Network Transport Driver (srvnet.sys) | CVE-2026-57089 | Windows SMB Server Network Transport Driver (srvnet.sys) Remote Code Execution Vulnerability | Important |
| Windows Spaceport.sys | CVE-2026-50298 | Windows Spaceport.sys Elevation of Privilege Vulnerability | Important |
| Windows Spaceport.sys | CVE-2026-50333 | Windows Spaceport.sys Elevation of Privilege Vulnerability | Important |
| Windows StateRepository API | CVE-2026-49170 | Windows StateRepository API Server file Elevation of Privilege Vulnerability | Important |
| Windows Storage | CVE-2026-58526 | Windows Storage Elevation of Privilege Vulnerability | Important |
| Windows Storage Spaces Direct | CVE-2026-50299 | Windows Storage Spaces Direct Remote Code Execution Vulnerability | Important |
| Windows Storage Spaces Direct | CVE-2026-49168 | Storage Spaces Direct Elevation of Privilege Vulnerability | Important |
| Windows Subsystem for Linux | CVE-2026-57973 | Windows Subsystem for Linux (WSL2) Kernel Tampering Vulnerability | Important |
| Windows Subsystem for Linux | CVE-2026-57968 | Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability | Important |
| Windows System | CVE-2026-50418 | Windows System Secure Feature Bypass Vulnerability | Important |
| Windows TCP/IP | CVE-2026-49177 | Windows TCP/IP Information Disclosure Vulnerability | Important |
| Windows TCP/IP | CVE-2026-50306 | Windows TCP/IP Elevation of Privilege Vulnerability | Important |
| Windows TCP/IP | CVE-2026-54999 | Windows TCP/IP Remote Code Execution Vulnerability | Critical |
| Windows TCP/IP | CVE-2026-50307 | Windows TCP/IP Elevation of Privilege Vulnerability | Important |
| Windows Telephony Service | CVE-2026-50669 | Windows Telephony Server Elevation of Privilege Vulnerability | Important |
| Windows Terminal | CVE-2026-54124 | Windows Terminal Remote Code Execution Vulnerability | Important |
| Windows Trusted Runtime Interface Driver | CVE-2026-50350 | Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability | Important |
| Windows Unified Consent System | CVE-2026-50326 | Windows Unified Consent System Elevation of Privilege Vulnerability | Important |
| Windows Universal Disk Format File System Driver (UDFS) | CVE-2026-49790 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | Important |
| Windows Universal Disk Format File System Driver (UDFS) | CVE-2026-50498 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | Important |
| Windows USB Audio Class driver (usbaudio.sys) | CVE-2026-58528 | Windows USB Audio Class Driver Information Disclosure Vulnerability | Important |
| Windows USB Audio Class driver (usbaudio.sys) | CVE-2026-50453 | Windows USB Audio Class Driver Information Disclosure Vulnerability | Important |
| Windows USB Audio Class driver (usbaudio.sys) | CVE-2026-49794 | Windows USB Audio Class Driver Information Disclosure Vulnerability | Important |
| Windows USB Driver | CVE-2026-50321 | Windows USB Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Hub Driver | CVE-2026-50479 | Windows USB Hub Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Print Driver | CVE-2026-49802 | Windows USB Print Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Print Driver | CVE-2026-58543 | Universal Print Management Service Elevation of Privilege Vulnerability | Important |
| Windows USB Print Driver | CVE-2026-49806 | Windows USB Print Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Print Driver | CVE-2026-54991 | Windows USB Print Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Print Driver | CVE-2026-55000 | Windows USB Print Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Print Driver | CVE-2026-50674 | Windows USB Print Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Print Driver | CVE-2026-54111 | Universal Print Management Service Elevation of Privilege Vulnerability | Important |
| Windows USB Print Driver | CVE-2026-54996 | Windows USB Print Driver Elevation of Privilege Vulnerability | Important |
| Windows USB Video Driver | CVE-2026-49804 | Windows USB Video Driver Elevation of Privilege Vulnerability | Important |
| Windows User Interface Core | CVE-2026-50454 | Windows User Interface Core Elevation of Privilege Vulnerability | Important |
| Windows Virtual Filtering Platform (VFP) | CVE-2026-50432 | Window Virtual Filtering Platform (VFP) Denial of Service Vulnerability | Important |
| Windows VMSwitch | CVE-2026-57092 | Microsoft Windows VMSwitch Elevation of Privilege Vulnerability | Critical |
| Windows WalletService | CVE-2026-49176 | Windows WalletService Elevation of Privilege Vulnerability | Important |
| Windows Web Proxy Auto-Discovery Protocol (WPAD) | CVE-2026-49800 | Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability | Important |
| Windows Web Proxy Auto-Discovery Protocol (WPAD) | CVE-2026-50480 | Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability | Important |
| Windows WebView | CVE-2026-56173 | Windows WebView Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-49805 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-57095 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-50416 | Win32k Information Disclosure Vulnerability | Important |
| Windows Win32K | CVE-2026-56184 | Win32k Information Disclosure Vulnerability | Important |
| Windows Win32K | CVE-2026-50489 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-54986 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-58632 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-50325 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-50297 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-54114 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-54107 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2026-54112 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K - GRFX | CVE-2026-56176 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Windows Wireless Networking | CVE-2026-58628 | Windows Wireless Network Manager Elevation of Privilege Vulnerability | Important |
| Windows Wireless Wide Area Network Service | CVE-2026-50450 | Windows Network Connections Service Elevation of Privilege Vulnerability | Important |
| Windows Wireless Wide Area Network Service | CVE-2026-50509 | Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability | Important |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-48561 MITRE NVD |
CVE Title: Microsoft Copilot Remote Code Execution Vulnerability
Description: Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? In this case, a successful attack could be performed from a low privilege Hyper-V guest. The attacker could traverse the guest's security boundary to execute code on the Hyper-V host execution environment. How could an attacker exploit this vulnerability? An attacker could host a malicious website that causes Microsoft Edge for Android to automatically send crafted prompts to Copilot on a user’s device when the user visits the site. Because the affected component processes these requests without confirmation or origin checks, the prompts may be executed without the user’s awareness, potentially resulting in unintended actions within Copilot such as accessing or modifying data. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-48561 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Copilot for Android | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft 365 Copilot for iOS | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-48561 | Ofek Levin Enclave with Enclave |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-45488 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? The attacker must correctly craft convincing spoofed UI chrome, time the full-screen entry, and rely on user perception. While the exploit triggers reliably after a gesture, successful deception depends on careful social engineering and realistic mimicking of browser UI. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would need to click on a specially crafted URL that could present a popup box requesting additional user input. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Moderate | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-45488 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Moderate | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-45488 | Moch. Azril Barath Stalin K Hafiizh with https://www.linkedin.com/in/hafiizh-7aa6bb31/ FARISSAL B Francesco Jeremy Topol with k4tedu Alfaz Hossain with POTDF xzyhellsing |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-42982 MITRE NVD |
CVE Title: Windows Secure Kernel Mode Elevation of Privilege Vulnerability
Description: Improper validation of consistency within input in Windows Secure Kernel Mode allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-42982 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5095051 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-42982 | Arush Agarampur (Microsoft) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVE-2026-47296 MITRE NVD |
CVE Title: Microsoft SQL Server Elevation of Privilege Vulnerability
Description: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain sysadmin privileges. I am running SQL Server on my system. What action do I need to take? Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47296 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) | 5102340 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack | 5102339 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2017 for x64-based Systems (CU 31) | 5102337 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2017 for x64-based Systems (GDR) | 5102338 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2019 for x64-based Systems (CU 32) | 5102335 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2019 for x64-based Systems (GDR) | 5102336 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2022 for x64-based Systems (CU 25) | 5101347 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2022 for x64-based Systems (GDR) | 5102334 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (CU6) | 5101346 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (GDR) | 5102333 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47296 | Sharath Unni |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-26145 MITRE NVD |
CVE Title: Microsoft Azure Synapse Elevation of Privilege Vulnerability
Description: Improper access control in Azure Synapse allows an authorized attacker to elevate privileges over a network. FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability? This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency. Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-26145 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure Synapse | Critical | Elevation of Privilege | None | Base: 4.8 Temporal: 4.3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-26145 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-45499 MITRE NVD |
CVE Title: Azure OpenAI Elevation of Privilege Vulnerability
Description: Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to elevate privileges over a network. FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability? This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency. Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-45499 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure Open AI | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-45499 | brahim_nah |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57100 MITRE NVD |
CVE Title: Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability
Description: Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an authorized attacker to elevate privileges over a network. FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability? This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency. Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57100 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Entra Provisioning Service | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-57100 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54998 MITRE NVD |
CVE Title: Microsoft Exchange Online Elevation of Privilege Vulnerability
Description: Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability? This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency. Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54998 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Exchange Online | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-54998 | Stefan Wey with Alweys | (UMB AG) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-41106 MITRE NVD |
CVE Title: Microsoft 365 Copilot Elevation of Privilege Vulnerability
Description: Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network. FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability? This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency. Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-41106 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Copilot | Critical | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-41106 | Vaibhavi Kalgutkar with Microsoft Dan Reimer with Microsoft Henrique Pereira with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-34349 MITRE NVD |
CVE Title: Windows Media Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could obtain limited memory-related information, specifically a heap address returned by the affected service. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-34349 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-34349 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-34346 MITRE NVD |
CVE Title: Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability
Description: Cleartext transmission of sensitive information in Windows Ancillary Function Driver for WinSock allows an authorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-34346 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-34346 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-42900 MITRE NVD |
CVE Title: Microsoft Windows App Store Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows App Store allows an unauthorized attacker to elevate privileges over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-42900 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-42900 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-45489 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Unknown FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on a specially crafted URL to be compromised by the attacker. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. 1.1    2026-07-12T07:00:00     CWE added. Informational change only. |
Moderate | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-45489 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Moderate | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-45489 | Ofek Levin Enclave with Enclave |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-42975 MITRE NVD |
CVE Title: Windows Bluetooth Port Driver Remote Code Execution
Description: Heap-based buffer overflow in Windows Bluetooth Port Driver allows an unauthorized attacker to execute code over an adjacent network. FAQ: According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability? Exploiting this vulnerability requires an attacker to be within Bluetooth range of the target system. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that a user enables Bluetooth and the device set to be discoverable, which is not the default configuration on Windows systems. Once discoverability is enabled, no further user interaction is required for exploitation. How could an attacker exploit the vulnerability? An attacker could attempt to exploit this vulnerability by sending a specially crafted Bluetooth configuration request to a nearby affected device. If successful, this could allow the attacker to run code on the device without needing user interaction or prior access. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-42975 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-42975 | Philip Tsukerman with Palo Alto Networks Christian Siegert - chrisbsd Hyeon Park (`@_p0her_`) of Korea University TwinkleStar03 with DEVCORE Internship Program Hyeon Park (`@_p0her_`) of Korea University |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-47300 MITRE NVD |
CVE Title: ASP.NET Core Elevation of Privilege Vulnerability
Description: Incorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47300 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47300 | Artur Stetsko |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-47302 MITRE NVD |
CVE Title: .NET Denial of Service Vulnerability
Description: Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47302 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Windows | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 | 5087068 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) | 5087068 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems | 5087058 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems | 5087058 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems | 5092430 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems | 5092430 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems | 5092427 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems | 5092427 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 | 5087059 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) | 5087059 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 | 5087057 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) | 5087057 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 5087048 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 5087048 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 5087049 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 5087049 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 5087062 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 5087062 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 5087063 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 5087063 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 5087067 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 5087067 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 5087069 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 5087069 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47302 | Levi Broderick with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-47303 MITRE NVD |
CVE Title: ASP.NET Core Elevation of Privilege Vulnerability
Description: Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47303 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47303 | Pham Quang Minh |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-42990 MITRE NVD |
CVE Title: SQL Server ODBC driver Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in SQL Server ODBC driver allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does this mean for this vulnerability? An attacker would need specific conditions to be in place (i.e. particular protocol settings, or configurations, etc.) before an attack could succeed, which reduces the likelihood of widespread or opportunistic exploitation. How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by setting up a malicious SQL Server and convincing a user or application to connect to it. When the connection is made, the malicious server could send specially crafted network data that triggers the flaw in the affected component, potentially causing the client application to behave unexpectedly or stop responding. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-42990 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5094042 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5094042 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5094041 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5094041 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-42990 | Mathias Vorreiter Pedersen with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-48572 MITRE NVD |
CVE Title: Windows App Package Installer Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows App Installer allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-48572 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-48572 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-48571 MITRE NVD |
CVE Title: Windows App Package Installer Elevation of Privilege Vulnerability
Description: Use after free in Windows App Installer allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-48571 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-48571 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49162 MITRE NVD |
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description: Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49162 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49162 | Grant Hume |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49164 MITRE NVD |
CVE Title: Windows Active Directory Domain Services Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Active Directory Domain Services allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49164 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49164 | Linzishan & Anemone & Zhiniang Peng (HUST) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49165 MITRE NVD |
CVE Title: Microsoft Windows App Store Information Disclosure Vulnerability
Description: Use of uninitialized resource in Microsoft Windows App Store allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49165 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49165 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49166 MITRE NVD |
CVE Title: Windows Print Configuration Elevation of Privilege Vulnerability
Description: Use after free in Microsoft Printer Drivers allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49166 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49166 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49167 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49167 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49167 | hazard |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49168 MITRE NVD |
CVE Title: Storage Spaces Direct Elevation of Privilege Vulnerability
Description: Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to elevate privileges with a physical attack. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49168 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49168 | Anonymous Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49169 MITRE NVD |
CVE Title: Windows DNS Server Remote Code Execution Vulnerability
Description: Use after free in DNS Server allows an authorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49169 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49169 | pwnky |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49170 MITRE NVD |
CVE Title: Windows StateRepository API Server file Elevation of Privilege Vulnerability
Description: Insufficient granularity of access control in Windows StateRepository API allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49170 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49170 | pwnky |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49171 MITRE NVD |
CVE Title: Windows Speech Runtime Elevation of Privilege Vulnerability
Description: Use after free in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49171 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49171 | k0shl |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49176 MITRE NVD |
CVE Title: Windows WalletService Elevation of Privilege Vulnerability
Description: Improper privilege management in Windows WalletService allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49176 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49176 | Chen Le Qi (@cplearns2h4ck) with STAR Labs SG Pte. Ltd. & Nguyn ng Nguyn (@MochiNishimiya) with STAR Labs SG Pte. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49175 MITRE NVD |
CVE Title: Windows DNS Client Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows DNS allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49175 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49175 | Brandon Fisher Brandon Fisher pwn2addr |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49172 MITRE NVD |
CVE Title: Windows FTP Service Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows FTP Service allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by sending specially crafted FTP commands that exceed the expected length to a vulnerable FTP service. When the service processes and logs these oversized commands, it may write beyond the bounds of allocated memory, causing memory corruption that could lead to a service crash or allow code execution. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49172 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 (Server Core installation) | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49172 | Linzishan & Anemone& Zhiniang Peng (HUST) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49173 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49173 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49173 | Owen McCullough with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49174 MITRE NVD |
CVE Title: DNS Client Tampering Vulnerability
Description: Missing authentication for critical function in Microsoft Windows DNS allows an authorized attacker to perform tampering locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49174 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49174 | Sneha Ravichandran with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49177 MITRE NVD |
CVE Title: Windows TCP/IP Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows TCP/IP allows an authorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49177 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49177 | Microsoft Red Team (MRT) with Microsoft Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49784 MITRE NVD |
CVE Title: Microsoft Windows App Store Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Windows App Store allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could elevate from a low integrity level up to a medium integrity level. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49784 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49784 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50506 MITRE NVD |
CVE Title: OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability
Description: Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50506 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft.AspNet.OData | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft.AspNetCore.OData | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50506 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-47282 MITRE NVD |
CVE Title: GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability
Description: Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? This vulnerability could expose a sign-in access token for a user’s work account. If disclosed, that token could allow access to data and services that the user is authorized to use, potentially including sensitive organizational information. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have be enticed to open a malicious file in vscode. Users should never open anything that they do not know or trust to be safe. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47282 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Visual Studio Code | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47282 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-45496 MITRE NVD |
CVE Title: Visual Studio Code Security Feature Bypass Vulnerability
Description: Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker who successfully exploited this vulnerability could bypass Visual Studio Code sensitive file protections. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-45496 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Visual Studio Code | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-45496 | Tarek Nakkouch 陳宥升 (CheN..) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50663 MITRE NVD |
CVE Title: Game: Age of Empires II: Definitive Edition Remote Code Execution Vulnerability
Description: Relative path traversal in Age of Empires II: Definitive Edition Game allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit the vulnerability? An attacker could create a specially crafted game scenario file and convince a user to open it, which allows the file to write content outside the intended game directory. By doing this, the attacker can place malicious files in unexpected locations, potentially enabling code to run on the affected system. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50663 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Age of Empires II: Definitive Edition Game | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50663 | Rick de Jager |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54983 MITRE NVD |
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description: Stack-based buffer overflow in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54983 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54983 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50695 MITRE NVD |
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description: Stack-based buffer overflow in Active Directory Federation Services allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50695 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50695 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54129 MITRE NVD |
CVE Title: Windows Hyper-V Elevation of Privilege Vulnerability
Description: Use after free in Windows Hyper-V allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54129 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54129 | Nicola Stauffer working with TrendAI Zero Day Initiative |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54989 MITRE NVD |
CVE Title: Quality Windows Audio/Video Experience (QWAVE) Elevation of Privilege Vulnerability
Description: Use after free in Quality Windows Audio/Video Experience (QWAVE) service allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54989 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54989 | Marin Duroyon |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54987 MITRE NVD |
CVE Title: Windows Overlay Filter Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Overlay Filter allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54987 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54987 | Chen Le Qi (@cplearns2h4ck) with STAR Labs SG Pte. Ltd. Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50696 MITRE NVD |
CVE Title: Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
Description: Heap-based buffer overflow in Windows Internet Key Exchange (IKE) Protocol allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50696 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50696 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54990 MITRE NVD |
CVE Title: Remote Desktop Client Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by persuading a user to connect to a malicious Remote Desktop Protocol (RDP) server using a vulnerable RDP client. The malicious server could send specially crafted responses that trigger memory corruption on the client system, potentially allowing arbitrary code execution in the context of the logged-on user. Successful exploitation requires user interaction to establish the RDP connection. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54990 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54990 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab pwn2addr Thanatos Tian & PB18 & @2st__ with Diffract |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50697 MITRE NVD |
CVE Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50697 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50697 | sweetchip dd484a5a34dd0f6d5330345ffe642dfc |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55000 MITRE NVD |
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description: Use after free in Windows USB Print Driver allows an unauthorized attacker to elevate privileges with a physical attack. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55000 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-55000 | Nafiez with NLab Security Seung Chan Kim AIフィジカルインターフェイス二号機 AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54111 MITRE NVD |
CVE Title: Universal Print Management Service Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Kernel memory read - unintentional read access to memory contents in kernel space from a user mode process. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54111 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54111 | AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54991 MITRE NVD |
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54991 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54991 | AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54132 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Kernel allows an unauthorized attacker to elevate privileges with a physical attack. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited the vulnerability could execute code in the kernel. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54132 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54132 | pwn2addr |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54107 MITRE NVD |
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54107 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54107 | Pravin Choudhary |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54986 MITRE NVD |
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Win32K allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54986 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54986 | YuilMuil(Yoon Jung Hyun) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54993 MITRE NVD |
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54993 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54993 | Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55001 MITRE NVD |
CVE Title: Active Directory Domain Services Elevation of Privilege Vulnerability
Description: Improper certificate validation in Windows Active Directory allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55001 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-55001 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54112 MITRE NVD |
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54112 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54112 | LC with VGCO - Vietnam Germany Connection |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55004 MITRE NVD |
CVE Title: Windows Print Configuration Elevation of Privilege Vulnerability
Description: Double free in Microsoft Printer Drivers allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55004 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-55004 | Q4n with Kunlun Lab and Zhiniang Peng with HUST Q4n with Kunlun Lab and Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54992 MITRE NVD |
CVE Title: Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Message Queuing Queue Manager allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54992 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54992 | Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54109 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description: Integer overflow or wraparound in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54109 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54109 | R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54982 MITRE NVD |
CVE Title: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
Description: Integer underflow (wrap or wraparound) in Reliable Multicast Transport Driver (RMCAST) allows an unauthorized attacker to execute code over an adjacent network. FAQ: According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability? This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54982 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54982 | Seung Chan Kim haowei yan haowei yan |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54114 MITRE NVD |
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description: Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54114 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54114 | YuilMuil(Yoon Jung Hyun) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54996 MITRE NVD |
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54996 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54996 | AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54119 MITRE NVD |
CVE Title: Windows Active Directory Denial of Service Vulnerability
Description: Loop with unreachable exit condition ('infinite loop') in Windows Active Directory allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54119 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54119 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54997 MITRE NVD |
CVE Title: Windows SMB Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54997 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54997 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54999 MITRE NVD |
CVE Title: Windows TCP/IP Remote Code Execution Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over an adjacent network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54999 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54999 | Owen McCullough with MSRC V&M |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55003 MITRE NVD |
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability? An unauthorized attacker must wait for a user to initiate a connection. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55003 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-55003 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54995 MITRE NVD |
CVE Title: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
Description: Use after free in Reliable Multicast Transport Driver (RMCAST) allows an unauthorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54995 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54995 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54122 MITRE NVD |
CVE Title: Windows GDI+ Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code locally. FAQ: How could an attacker exploit this vulnerability? Exploitation of this vulnerability requires that an attacker send a malicious link to the victim via email, or that they convince the user to click the link, typically by way of an enticement in an email or Instant Messenger message. In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link. This could result in the attacker executing remote code on the victim's machine. When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk (UI:N). Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54122 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54122 | Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50338 MITRE NVD |
CVE Title: Azure Spring Apps Elevation of Privilege Vulnerability
Description: Improper authentication in Azure Spring Apps allows an authorized attacker to elevate privileges over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain ELEVATED privileges, which may allow them to perform actions beyond their original permissions. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50338 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure Spring Apps | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 8.2 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50338 | Lukas Johannes Moeller |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-55011 MITRE NVD |
CVE Title: Microsoft Defender Remote Code Execution Vulnerability
Description: Integer underflow (wrap or wraparound) in Microsoft Defender allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
See Manage Updates Baselines Microsoft Defender Antivirus for more information. Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue? Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state. Why is no action required to install this update? In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner. For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating. Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment. How often are the Microsoft Malware Protection Engine and malware definitions updated? Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed. Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time. What is the Microsoft Malware Protection Engine? The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software. Windows Defender uses the Microsoft Malware Protection Engine. On which products is Defender installed and active by default? Defender runs on all supported version of Windows. Are there other products that use the Microsoft Malware Protection Engine? Yes, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials. Does this update contain any additional security-related changes to functionality? Yes. In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55011 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Malware Protection Engine | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-55011 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-55012 MITRE NVD |
CVE Title: Microsoft Defender Remote Code Execution Vulnerability
Description: Integer overflow or wraparound in Microsoft Defender allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
See Manage Updates Baselines Microsoft Defender Antivirus for more information. Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue? Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state. Why is no action required to install this update? In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner. For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating. Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment. How often are the Microsoft Malware Protection Engine and malware definitions updated? Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed. Depending on which Microsoft antimalware software is used and how it is configured, the software may search for engine and definition updates every day when connected to the Internet, up to multiple times daily. Customers can also choose to manually check for updates at any time. What is the Microsoft Malware Protection Engine? The Microsoft Malware Protection Engine, mpengine.dll, provides the scanning, detection, and cleaning capabilities for Microsoft antivirus and antispyware software. Windows Defender uses the Microsoft Malware Protection Engine. On which products is Defender installed and active by default? Defender runs on all supported version of Windows. Are there other products that use the Microsoft Malware Protection Engine? Yes, Microsoft System Center Endpoint Protection, Microsoft System Center 2012 R2 Endpoint Protection, Microsoft System Center 2012 Endpoint Protection and Microsoft Security Essentials. Does this update contain any additional security-related changes to functionality? Yes. In addition to the changes that are listed for this vulnerability, this update includes defense-in-depth updates to help improve security-related features. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55012 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Malware Protection Engine | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-55012 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50524 MITRE NVD |
CVE Title: .NET Framework Denial of Service Vulnerability
Description: Improper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50524 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50524 | 41ae55e9310ff27fa6f26af4727e5590 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVE-2026-54117 MITRE NVD |
CVE Title: Microsoft SQL Server Remote Code Execution Vulnerability
Description: Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An authenticated attacker with explicit permissions could exploit the vulnerability by logging in to the SQL server and could then elevate their privileges to sysadmin. According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. I am running SQL Server on my system. What action do I need to take? Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54117 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SQL Server 2025 for x64-based Systems (CU6) | 5101346 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (GDR) | 5102333 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-54117 | Piotr Bazydło (@chudypb) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVE-2026-54118 MITRE NVD |
CVE Title: Microsoft SQL Server Remote Code Execution Vulnerability
Description: Deserialization of untrusted data in SQL Server allows an authorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. How could an attacker exploit this vulnerability? An authenticated attacker with explicit permissions could exploit the vulnerability by logging in to the SQL server and could then elevate their privileges to sysadmin. I am running SQL Server on my system. What action do I need to take? Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54118 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) | 5102340 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack | 5102339 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2017 for x64-based Systems (CU 31) | 5102337 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2017 for x64-based Systems (GDR) | 5102338 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2019 for x64-based Systems (CU 32) | 5102335 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2019 for x64-based Systems (GDR) | 5102336 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2022 for x64-based Systems (CU 25) | 5101347 (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft SQL Server 2022 for x64-based Systems (GDR) | 5102334 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (CU6) | 5101346 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (GDR) | 5102333 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-54118 | Piotr Bazydło (@chudypb) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVE-2026-55002 MITRE NVD |
CVE Title: Microsoft SQL Server Elevation of Privilege Vulnerability
Description: External control of file name or path in SQL Server allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain sysadmin privileges. I am running SQL Server on my system. What action do I need to take? Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55002 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) | 5102340 (Security Update) | Unknown | Unknown | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack | 5102339 (Security Update) | Unknown | Unknown | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2017 for x64-based Systems (CU 31) | 5102337 (Security Update) | Unknown | Unknown | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2017 for x64-based Systems (GDR) | 5102338 (Security Update) | Unknown | Unknown | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2019 for x64-based Systems (CU 32) | 5102335 (Security Update) | Unknown | Unknown | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2019 for x64-based Systems (GDR) | 5102336 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2022 for x64-based Systems (CU 25) | 5101347 (Security Update) | Unknown | Unknown | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2022 for x64-based Systems (GDR) | 5102334 (Security Update) | Unknown | Unknown | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (CU6) | 5101346 (Security Update) | Unknown | Unknown | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (GDR) | 5102333 (Security Update) | Unknown | Unknown | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55002 | Fabiano Amorim with Pythian |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55144 MITRE NVD |
CVE Title: Windows Cryptography API: Next Generation (CNG) Tampering Vulnerability
Description: Missing cryptographic step in Windows CryptoAPI allows an authorized attacker to perform tampering locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55144 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-55144 | Samuel Lee with Microsoft Samuel Lee with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50520 MITRE NVD |
CVE Title: Visual Studio Code Remote Code Execution Vulnerability
Description: Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50520 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Visual Studio Code | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50520 | Daniel Santos with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54108 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: External control of file name or path in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54108 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-54108 | Piotr Bazydło (@chudypb) 41ae55e9310ff27fa6f26af4727e5590 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50675 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50675 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50675 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50678 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure, Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50678 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Information Disclosure | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50678 | f4 & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54988 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metrics, exploitation results in a small loss of confidentiality (C:L), no integrity impact (I:N), and high availability impact (A:H). What does this mean? This means that an attacker could potentially see a small amount of information they should not have access to, but they cannot change data or system settings. The primary impact is that the affected service could stop working or crash, which may temporarily disrupt normal system operations. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54988 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-54988 | Haein Lee with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55899 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Stack-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55899 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55899 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-55945 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Edge (Chromium-based) allows an authorized attacker to disclose information locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. What is the version information for this release?
What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file content. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Moderate | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55945 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Moderate | Information Disclosure | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-55945 | Gal Weizman (weizmangal@gmail.com / https://x.com/weizmangal) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55948 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55948 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55948 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56155 MITRE NVD |
CVE Title: Active Directory Federation Services Elevation of Privilege Vulnerability
Description: Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Detected | Not Found | Not Applicable | No | Yes |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56155 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 7.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56155 | Scott Clark (DART) with Microsoft Jeremy Kingston (DART) with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56164 MITRE NVD |
CVE Title: Microsoft SharePoint Server Elevation of Privilege Vulnerability
Description: Missing authentication for critical function in Microsoft Office SharePoint allows an unauthorized attacker to elevate privileges over a network. FAQ: According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. Mitigations: Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Moderate | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Detected | Not Found | Not Applicable | No | Yes |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56164 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Moderate | Elevation of Privilege | None | Base: 5.3 Temporal: 4.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Moderate | Elevation of Privilege | None | Base: 5.3 Temporal: 4.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Moderate | Elevation of Privilege | None | Base: 5.3 Temporal: 4.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-56164 | Anonymous Genwei Jiang with Google Cloud, FLARE OTF Jayson Frost with Mandiant Incident Response |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56169 MITRE NVD |
CVE Title: Windows Admin Center Elevation of Privilege Vulnerability
Description: Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56169 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Admin Center | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56169 | Howard McGreehan with MSRC V&M |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56170 MITRE NVD |
CVE Title: ASP.NET Core Denial of Service Vulnerability
Description: Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56170 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-56170 | Ky0toFu |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50694 MITRE NVD |
CVE Title: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
Description: Use after free in Windows Secure Socket Tunneling Protocol (SSTP) allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit the vulnerability? To exploit this vulnerability, an attacker would need to send a specially crafted malicious SSTP packet to a SSTP server. This could result in remote code execution on the server side. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50694 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50694 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54127 MITRE NVD |
CVE Title: Windows Hyper-V Elevation of Privilege Vulnerability
Description: Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54127 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54127 | MORSE with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56193 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could obtain limited memory-related information, specifically a heap address returned by the affected service. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56193 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-56193 | Haein Lee with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56185 MITRE NVD |
CVE Title: Windows Admin Center Information Disclosure Vulnerability
Description: Improper authentication in Windows Admin Center allows an authorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56185 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Admin Center | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56185 | Howard McGreehan with MSRC V&M |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57097 MITRE NVD |
CVE Title: Microsoft XML Security Feature Bypass Vulnerability
Description: Untrusted search path in Microsoft XML allows an unauthorized attacker to bypass a security feature with a physical attack. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57097 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 6.4 Temporal: 5.6 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57097 | Ken Pyle with Independent Academic & Responsible Cybersecurity Research |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57107 MITRE NVD |
CVE Title: Windows Admin Center Elevation of Privilege Vulnerability
Description: Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57107 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Admin Center | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57107 | sho odagiri with GMO Cybersecurity by Ierae inc Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57969 MITRE NVD |
CVE Title: Azure CycleCloud Elevation of Privilege Vulnerability
Description: Missing authentication for critical function in Azure CycleCloud allows an authorized attacker to elevate privileges over a network. FAQ: How could an attacker exploit this vulnerability? An authenticated user who has the Cluster Creator role could exploit this vulnerability by using a cluster creation operation in a way that bypasses an authorization check. By doing so, the attacker could overwrite another user’s cluster, including a cluster owned by an administrator, and take ownership of it. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain full control of the affected cluster that was overwritten and taken over. This could allow the attacker to run unauthorized code, remove or alter credentials associated with the cluster, and perform actions with the same level of access available within that cluster. What do I need to do to protect myself? Customers should update to Azure CycleCloud 8.9.1 (Build 8.9.1-3806), which includes the fix for this vulnerability. New installations and upgrades to an existing CycleCloud deployment will receive the updated packages containing the fix. For installation and upgrade guidance, see: Updated packages are available through Microsoft's package repositories and the Azure Marketplace image for CycleCloud 8.9.1. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57969 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure CycleCloud 8.9.1 | Release Notes (Security Update - Marketplace Image) Release Notes (Security Update - PMC DEB) Release Notes (Security Update - PMC RPM) |
Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-57969 | Asaf Cohen with XBreach.ai XBREACH.AI TEAM with https://xbreach.ai/ XBREACH.AI TEAM with https://xbreach.ai/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57976 MITRE NVD |
CVE Title: Windows Active Directory Domain Services Denial of Service Vulnerability
Description: Null pointer dereference in Active Directory Domain Services allows an authorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57976 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57976 | Ravi Kumar |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57979 MITRE NVD |
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read portions of heap memory. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57979 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57979 | Sanil Singh Tomar with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57981 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. How could an attacker exploit this vulnerability? An authenticated attacker can run arbitrary SQL queries as the SMS service (with sysadmin privileges). Since the injection happens during a user permission check, even users with read-only RBAC roles can exploit it. Any local SMS Admins group member on the SMS Provider host can also take advantage of this vulnerability. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57981 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57981 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57983 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Description: Improper authorization in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. What kind of security feature could be bypassed by successfully exploiting this vulnerability? An unauthenticated attacker is able to bypass the expected user access. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57983 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 8.7 Temporal: 7.6 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57983 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57984 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57984 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57984 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57985 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57985 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.6 Temporal: 6.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57985 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57986 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57986 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57986 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57987 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57987 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57987 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57988 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Relative path traversal in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57988 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57988 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55014 MITRE NVD |
CVE Title: Windows Remote Help Defense Elevation of Privilege Vulnerability
Description: Improper access control in Windows Remote Help Defense allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain the privileges of the compromised user. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55014 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Remote Help | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55014 | Nick Agathos with Commonwealth Bank of Australia |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57991 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Description: Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57991 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57991 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57992 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57992 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57992 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58276 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58276 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58276 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58278 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58278 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58278 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58279 MITRE NVD |
CVE Title: Azure CycleCloud Elevation of Privilege Vulnerability
Description: Missing authorization in Azure CycleCloud allows an authorized attacker to elevate privileges over a network. FAQ: What do I need to do to protect myself? Customers should update to Azure CycleCloud 8.9.1 (Build 8.9.1-3806), which includes the fix for this vulnerability. New installations and upgrades to an existing CycleCloud deployment will receive the updated packages containing the fix. For installation and upgrade guidance, see: Updated packages are available through Microsoft's package repositories and the Azure Marketplace image for CycleCloud 8.9.1. What privileges could be gained by an attacker who successfully exploited the vulnerability? A low-privilege attacker who successfully exploits the vulnerability could potentially elevate their privileges to perform unauthorized modification of another user's cluster. According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) and availability (A:L), but could lead to major loss of integrity (I:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could gain the ability to modify another user's cluster without authorization. It does not lead to information disclosure or service downtime. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58279 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure CycleCloud 8.9.1 | Release Notes (Security Update - PMC RPM) Release Notes (Security Update - PMC DEB) Release Notes (Security Update - Marketplace Image) |
Important | Elevation of Privilege | None | Base: 6.5 Temporal: 5.9 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-58279 | XBREACH.AI TEAM with https://xbreach.ai/ |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58526 MITRE NVD |
CVE Title: Windows Storage Elevation of Privilege Vulnerability
Description: Use after free in Windows Storage allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58526 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58526 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58595 MITRE NVD |
CVE Title: Microsoft Bing App for IOS Spoofing Vulnerability
Description: Improper restriction of rendered ui layers or frames in Microsoft Bing App for IOS allows an unauthorized attacker to perform spoofing over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58595 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Bing Search for iOS | Release Notes (Security Update) | Important | Spoofing | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-58595 | Azza Tegar Naufal Ataullah |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50522 MITRE NVD |
CVE Title: Microsoft SharePoint Remote Code Execution Vulnerability
Description: Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network. FAQ: I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. How could an attacker exploit the vulnerability? In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server. According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50522 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50522 | splitline (@_splitline_) from DEVCORE Research Team working withTrendAI Zero Day Initiative |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-56645 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56645 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56645 | sangnt (@gnas0x0018) with Viettel Cyber Security |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-56646 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56646 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56646 | Orange Tsai (@orange_8361) with DEVCORE |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13775 MITRE NVD |
CVE Title: Chromium: CVE-2026-13775 Use after free in GPU
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:38     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13775 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13775 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13776 MITRE NVD |
CVE Title: Chromium: CVE-2026-13776 Type Confusion in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:40     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13776 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13776 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13779 MITRE NVD |
CVE Title: Chromium: CVE-2026-13779 Use after free in Chromoting
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:42     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13779 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13779 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13780 MITRE NVD |
CVE Title: Chromium: CVE-2026-13780 Insufficient validation of untrusted input in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:43     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13780 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13780 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13781 MITRE NVD |
CVE Title: Chromium: CVE-2026-13781 Insufficient validation of untrusted input in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:44     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13781 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13781 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13782 MITRE NVD |
CVE Title: Chromium: CVE-2026-13782 Use after free in Browser
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:45     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13782 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13782 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13783 MITRE NVD |
CVE Title: Chromium: CVE-2026-13783 Use after free in Views
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:46     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13783 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13783 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13784 MITRE NVD |
CVE Title: Chromium: CVE-2026-13784 Use after free in Views
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:48     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13784 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13784 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13786 MITRE NVD |
CVE Title: Chromium: CVE-2026-13786 Use after free in Ozone
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:49     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13786 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13786 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13787 MITRE NVD |
CVE Title: Chromium: CVE-2026-13787 Use after free in Chromoting
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:50     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13787 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13787 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13790 MITRE NVD |
CVE Title: Chromium: CVE-2026-13790 Side-channel information leakage in Scroll
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13790 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13790 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13793 MITRE NVD |
CVE Title: Chromium: CVE-2026-13793 Insufficient policy enforcement in SVG
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:54     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13793 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13793 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13794 MITRE NVD |
CVE Title: Chromium: CVE-2026-13794 Insufficient validation of untrusted input in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:55     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13794 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13794 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13797 MITRE NVD |
CVE Title: Chromium: CVE-2026-13797 Insufficient validation of untrusted input in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:58     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13797 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13797 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13798 MITRE NVD |
CVE Title: Chromium: CVE-2026-13798 Heap buffer overflow in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:59     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13798 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13798 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13801 MITRE NVD |
CVE Title: Chromium: CVE-2026-13801 Integer overflow in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:03     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13801 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13801 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13802 MITRE NVD |
CVE Title: Chromium: CVE-2026-13802 Use after free in Views
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:04     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13802 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13802 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13803 MITRE NVD |
CVE Title: Chromium: CVE-2026-13803 Type Confusion in Chrome Tabs
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:05     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13803 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13803 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13804 MITRE NVD |
CVE Title: Chromium: CVE-2026-13804 Use after free in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:06     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13804 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13804 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13848 MITRE NVD |
CVE Title: Chromium: CVE-2026-13848 Use after free in Forms
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:40     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13848 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13848 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13849 MITRE NVD |
CVE Title: Chromium: CVE-2026-13849 Insufficient validation of untrusted input in Chromoting
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:41     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13849 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13849 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13853 MITRE NVD |
CVE Title: Chromium: CVE-2026-13853 Use after free in Journeys
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:42     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13853 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13853 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13855 MITRE NVD |
CVE Title: Chromium: CVE-2026-13855 Use after free in Ozone
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:44     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13855 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13855 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13857 MITRE NVD |
CVE Title: Chromium: CVE-2026-13857 Inappropriate implementation in Geometry
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:46     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13857 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13857 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13858 MITRE NVD |
CVE Title: Chromium: CVE-2026-13858 Out of bounds read in FFmpeg
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:47     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13858 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13858 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13859 MITRE NVD |
CVE Title: Chromium: CVE-2026-13859 Inappropriate implementation in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:48     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13859 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13859 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13854 MITRE NVD |
CVE Title: Chromium: CVE-2026-13854 Use after free in Ozone
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:43     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13854 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13854 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13860 MITRE NVD |
CVE Title: Chromium: CVE-2026-13860 Incorrect security UI in Autofill
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:49     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13860 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13860 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13864 MITRE NVD |
CVE Title: Chromium: CVE-2026-13864 Insufficient policy enforcement in WebHID
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:51     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13864 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13864 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13861 MITRE NVD |
CVE Title: Chromium: CVE-2026-13861 Use after free in Core
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:50     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13861 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13861 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13865 MITRE NVD |
CVE Title: Chromium: CVE-2026-13865 Insufficient validation of untrusted input in Enterprise
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13865 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13865 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13867 MITRE NVD |
CVE Title: Chromium: CVE-2026-13867 Inappropriate implementation in Geolocation
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:34     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13867 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13867 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13869 MITRE NVD |
CVE Title: Chromium: CVE-2026-13869 Use after free in Device
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:55     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13869 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13869 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13871 MITRE NVD |
CVE Title: Chromium: CVE-2026-13871 Insufficient data validation in GuestView
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:56     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13871 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13871 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13873 MITRE NVD |
CVE Title: Chromium: CVE-2026-13873 Out of bounds memory access in Layout
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:57     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13873 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13873 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13874 MITRE NVD |
CVE Title: Chromium: CVE-2026-13874 Inappropriate implementation in DataTransfer
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:59     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13874 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13874 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13876 MITRE NVD |
CVE Title: Chromium: CVE-2026-13876 Inappropriate implementation in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:01     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13876 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13876 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13877 MITRE NVD |
CVE Title: Chromium: CVE-2026-13877 Insufficient validation of untrusted input in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:02     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13877 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13877 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13875 MITRE NVD |
CVE Title: Chromium: CVE-2026-13875 Insufficient validation of untrusted input in GPU
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13875 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13875 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13879 MITRE NVD |
CVE Title: Chromium: CVE-2026-13879 Use after free in Bluetooth
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:03     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13879 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13879 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13882 MITRE NVD |
CVE Title: Chromium: CVE-2026-13882 Inappropriate implementation in USB
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:06     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13882 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13882 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13881 MITRE NVD |
CVE Title: Chromium: CVE-2026-13881 Insufficient data validation in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:05     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13881 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13881 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13883 MITRE NVD |
CVE Title: Chromium: CVE-2026-13883 Type Confusion in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:35     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13883 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13883 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13886 MITRE NVD |
CVE Title: Chromium: CVE-2026-13886 Policy bypass in Isolated Web Apps
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:10     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13886 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13886 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13888 MITRE NVD |
CVE Title: Chromium: CVE-2026-13888 Use after free in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:11     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13888 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13888 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13884 MITRE NVD |
CVE Title: Chromium: CVE-2026-13884 Heap buffer overflow in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:08     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13884 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13884 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13890 MITRE NVD |
CVE Title: Chromium: CVE-2026-13890 Out of bounds read in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:12     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13890 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13890 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13891 MITRE NVD |
CVE Title: Chromium: CVE-2026-13891 Insufficient validation of untrusted input in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:13     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13891 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13891 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13893 MITRE NVD |
CVE Title: Chromium: CVE-2026-13893 Insufficient validation of untrusted input in WebUI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:14     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13893 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13893 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13894 MITRE NVD |
CVE Title: Chromium: CVE-2026-13894 Insufficient policy enforcement in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:16     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13894 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13894 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13895 MITRE NVD |
CVE Title: Chromium: CVE-2026-13895 Inappropriate implementation in Autofill
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:17     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13895 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13895 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13896 MITRE NVD |
CVE Title: Chromium: CVE-2026-13896 Insufficient policy enforcement in Glic
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:19     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13896 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13896 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13897 MITRE NVD |
CVE Title: Chromium: CVE-2026-13897 Insufficient policy enforcement in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:20     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13897 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13897 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13898 MITRE NVD |
CVE Title: Chromium: CVE-2026-13898 Use after free in Cast Receiver
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:21     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13898 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13898 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13901 MITRE NVD |
CVE Title: Chromium: CVE-2026-13901 Insufficient validation of untrusted input in Serial
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:25     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13901 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13901 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13900 MITRE NVD |
CVE Title: Chromium: CVE-2026-13900 Insufficient validation of untrusted input in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:24     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13900 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13900 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13899 MITRE NVD |
CVE Title: Chromium: CVE-2026-13899 Use after free in HTML
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:23     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13899 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13899 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13903 MITRE NVD |
CVE Title: Chromium: CVE-2026-13903 Insufficient policy enforcement in Bluetooth
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:37     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13903 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13903 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13906 MITRE NVD |
CVE Title: Chromium: CVE-2026-13906 Out of bounds read in Codecs
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:28     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13906 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13906 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13909 MITRE NVD |
CVE Title: Chromium: CVE-2026-13909 Insufficient policy enforcement in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:29     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13909 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13909 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13911 MITRE NVD |
CVE Title: Chromium: CVE-2026-13911 Insufficient data validation in Spellcheck
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:31     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13911 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13911 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13921 MITRE NVD |
CVE Title: Chromium: CVE-2026-13921 Insufficient validation of untrusted input in DeviceBoundSessionCredentials
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:35     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13921 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13921 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13922 MITRE NVD |
CVE Title: Chromium: CVE-2026-13922 Side-channel information leakage in Paint
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:36     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13922 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13922 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13920 MITRE NVD |
CVE Title: Chromium: CVE-2026-13920 Insufficient validation of untrusted input in Media
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:33     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13920 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13920 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13919 MITRE NVD |
CVE Title: Chromium: CVE-2026-13919 Insufficient data validation in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:32     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13919 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13919 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13925 MITRE NVD |
CVE Title: Chromium: CVE-2026-13925 Inappropriate implementation in Downloads
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:37     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13925 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13925 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13928 MITRE NVD |
CVE Title: Chromium: CVE-2026-13928 Insufficient validation of untrusted input in Enterprise
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:38     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13928 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13928 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13931 MITRE NVD |
CVE Title: Chromium: CVE-2026-13931 Inappropriate implementation in Media
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:41     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13931 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13931 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13934 MITRE NVD |
CVE Title: Chromium: CVE-2026-13934 Insufficient validation of untrusted input in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:44     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13934 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13934 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13933 MITRE NVD |
CVE Title: Chromium: CVE-2026-13933 Insufficient policy enforcement in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:42     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13933 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13933 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13930 MITRE NVD |
CVE Title: Chromium: CVE-2026-13930 Insufficient policy enforcement in Actor
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:38     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13930 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13930 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13935 MITRE NVD |
CVE Title: Chromium: CVE-2026-13935 Side-channel information leakage in ComputePressure
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:45     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13935 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13935 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13937 MITRE NVD |
CVE Title: Chromium: CVE-2026-13937 Insufficient policy enforcement in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:46     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13937 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13937 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13938 MITRE NVD |
CVE Title: Chromium: CVE-2026-13938 Integer overflow in Fonts
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:47     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13938 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13938 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13940 MITRE NVD |
CVE Title: Chromium: CVE-2026-13940 Uninitialized Use in Cast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:48     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13940 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13940 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13942 MITRE NVD |
CVE Title: Chromium: CVE-2026-13942 Insufficient validation of untrusted input in Video Capture
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:51     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13942 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13942 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13941 MITRE NVD |
CVE Title: Chromium: CVE-2026-13941 Inappropriate implementation in SiteSettings
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:50     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13941 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13941 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13945 MITRE NVD |
CVE Title: Chromium: CVE-2026-13945 Insufficient policy enforcement in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:52     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13945 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13945 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13947 MITRE NVD |
CVE Title: Chromium: CVE-2026-13947 Uninitialized Use in XR
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13947 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13947 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13948 MITRE NVD |
CVE Title: Chromium: CVE-2026-13948 Insufficient policy enforcement in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:39     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13948 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13948 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13950 MITRE NVD |
CVE Title: Chromium: CVE-2026-13950 Uninitialized Use in GPU
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:55     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13950 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13950 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13951 MITRE NVD |
CVE Title: Chromium: CVE-2026-13951 Policy bypass in USB
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:57     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13951 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13951 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13952 MITRE NVD |
CVE Title: Chromium: CVE-2026-13952 Inappropriate implementation in PerformanceAPIs
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:58     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13952 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13952 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13953 MITRE NVD |
CVE Title: Chromium: CVE-2026-13953 Inappropriate implementation in SplitView
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:59     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13953 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13953 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13956 MITRE NVD |
CVE Title: Chromium: CVE-2026-13956 Incorrect security UI in PageInfo
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:01     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13956 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13956 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13958 MITRE NVD |
CVE Title: Chromium: CVE-2026-13958 Uninitialized Use in Codecs
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:04     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13958 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13958 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13957 MITRE NVD |
CVE Title: Chromium: CVE-2026-13957 Incorrect security UI in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:03     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13957 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13957 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13959 MITRE NVD |
CVE Title: Chromium: CVE-2026-13959 Insufficient validation of untrusted input in Blink
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:05     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13959 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13959 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13960 MITRE NVD |
CVE Title: Chromium: CVE-2026-13960 Inappropriate implementation in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:06     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13960 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13960 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13962 MITRE NVD |
CVE Title: Chromium: CVE-2026-13962 Insufficient data validation in PDF
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:07     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13962 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13962 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13963 MITRE NVD |
CVE Title: Chromium: CVE-2026-13963 Inappropriate implementation in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:08     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13963 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13963 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13965 MITRE NVD |
CVE Title: Chromium: CVE-2026-13965 Use after free in Oilpan
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:10     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13965 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13965 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13967 MITRE NVD |
CVE Title: Chromium: CVE-2026-13967 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:12     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13967 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13967 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13966 MITRE NVD |
CVE Title: Chromium: CVE-2026-13966 Inappropriate implementation in History
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:11     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13966 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13966 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13968 MITRE NVD |
CVE Title: Chromium: CVE-2026-13968 Insufficient validation of untrusted input in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:13     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13968 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13968 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13970 MITRE NVD |
CVE Title: Chromium: CVE-2026-13970 Uninitialized Use in Media
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:14     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13970 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13970 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13972 MITRE NVD |
CVE Title: Chromium: CVE-2026-13972 Inappropriate implementation in Paint
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:17     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13972 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13972 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13971 MITRE NVD |
CVE Title: Chromium: CVE-2026-13971 Uninitialized Use in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:16     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13971 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13971 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13973 MITRE NVD |
CVE Title: Chromium: CVE-2026-13973 Inappropriate implementation in UI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:41     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13973 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13973 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13976 MITRE NVD |
CVE Title: Chromium: CVE-2026-13976 Heap buffer overflow in Storage
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:19     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13976 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13976 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13977 MITRE NVD |
CVE Title: Chromium: CVE-2026-13977 Inappropriate implementation in HTMLParser
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:21     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13977 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13977 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13978 MITRE NVD |
CVE Title: Chromium: CVE-2026-13978 Insufficient policy enforcement in PageInfo
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:22     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13978 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13978 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13979 MITRE NVD |
CVE Title: Chromium: CVE-2026-13979 Inappropriate implementation in Paint
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:23     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13979 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13979 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13982 MITRE NVD |
CVE Title: Chromium: CVE-2026-13982 Incorrect security UI in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:24     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13982 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13982 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13984 MITRE NVD |
CVE Title: Chromium: CVE-2026-13984 Incorrect security UI in TabStrip
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:25     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13984 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13984 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13985 MITRE NVD |
CVE Title: Chromium: CVE-2026-13985 Inappropriate implementation in MediaCapture
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:26     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13985 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13985 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13986 MITRE NVD |
CVE Title: Chromium: CVE-2026-13986 Inappropriate implementation in Media UI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:28     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13986 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13986 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13989 MITRE NVD |
CVE Title: Chromium: CVE-2026-13989 Insufficient policy enforcement in PageInfo
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:43     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13989 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13989 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13988 MITRE NVD |
CVE Title: Chromium: CVE-2026-13988 Inappropriate implementation in Paint
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:29     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13988 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13988 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13993 MITRE NVD |
CVE Title: Chromium: CVE-2026-13993 Incorrect security UI in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:32     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13993 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13993 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13990 MITRE NVD |
CVE Title: Chromium: CVE-2026-13990 Insufficient validation of untrusted input in DataTransfer
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:31     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13990 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13990 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13996 MITRE NVD |
CVE Title: Chromium: CVE-2026-13996 Incorrect security UI in Permissions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:33     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13996 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13996 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13999 MITRE NVD |
CVE Title: Chromium: CVE-2026-13999 Inappropriate implementation in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:35     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13999 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13999 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14000 MITRE NVD |
CVE Title: Chromium: CVE-2026-14000 Inappropriate implementation in XML
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:36     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14000 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14000 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14001 MITRE NVD |
CVE Title: Chromium: CVE-2026-14001 Inappropriate implementation in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:37     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14001 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14001 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14002 MITRE NVD |
CVE Title: Chromium: CVE-2026-14002 Inappropriate implementation in Geolocation
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:38     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14002 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14002 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14003 MITRE NVD |
CVE Title: Chromium: CVE-2026-14003 Insufficient policy enforcement in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:40     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14003 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14003 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14004 MITRE NVD |
CVE Title: Chromium: CVE-2026-14004 Inappropriate implementation in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:41     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14004 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14004 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14006 MITRE NVD |
CVE Title: Chromium: CVE-2026-14006 Use after free in Navigation
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:44     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14006 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14006 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14007 MITRE NVD |
CVE Title: Chromium: CVE-2026-14007 Insufficient policy enforcement in PermissionsPolicy
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:43     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14007 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14007 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14008 MITRE NVD |
CVE Title: Chromium: CVE-2026-14008 Uninitialized Use in WebXR
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:44     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14008 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14008 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14009 MITRE NVD |
CVE Title: Chromium: CVE-2026-14009 Insufficient data validation in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:46     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14009 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14009 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14010 MITRE NVD |
CVE Title: Chromium: CVE-2026-14010 Uninitialized Use in Codecs
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:47     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14010 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14010 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14011 MITRE NVD |
CVE Title: Chromium: CVE-2026-14011 Out of bounds read in SurfaceCapture
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:48     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14011 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14011 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14012 MITRE NVD |
CVE Title: Chromium: CVE-2026-14012 Side-channel information leakage in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:49     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14012 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14012 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14013 MITRE NVD |
CVE Title: Chromium: CVE-2026-14013 Inappropriate implementation in SVG
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:51     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14013 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14013 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14014 MITRE NVD |
CVE Title: Chromium: CVE-2026-14014 Inappropriate implementation in Paint
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:52     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14014 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14014 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14015 MITRE NVD |
CVE Title: Chromium: CVE-2026-14015 Inappropriate implementation in WebRTC
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14015 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14015 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14018 MITRE NVD |
CVE Title: Chromium: CVE-2026-14018 Use after free in Updater
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:57     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14018 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14018 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14016 MITRE NVD |
CVE Title: Chromium: CVE-2026-14016 Insufficient policy enforcement in SVG
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:45     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14016 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14016 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14017 MITRE NVD |
CVE Title: Chromium: CVE-2026-14017 Inappropriate implementation in Navigation
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:55     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14017 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14017 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14019 MITRE NVD |
CVE Title: Chromium: CVE-2026-14019 Inappropriate implementation in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:58     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14019 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14019 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14020 MITRE NVD |
CVE Title: Chromium: CVE-2026-14020 Insufficient validation of untrusted input in WebXR
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:59     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14020 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14020 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14021 MITRE NVD |
CVE Title: Chromium: CVE-2026-14021 Insufficient validation of untrusted input in StorageAccessAPI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14021 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14021 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14022 MITRE NVD |
CVE Title: Chromium: CVE-2026-14022 Insufficient validation of untrusted input in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:01     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14022 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14022 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14023 MITRE NVD |
CVE Title: Chromium: CVE-2026-14023 Insufficient validation of untrusted input in SanitizerAPI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:03     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14023 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14023 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14025 MITRE NVD |
CVE Title: Chromium: CVE-2026-14025 Use after free in Views
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:05     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14025 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14025 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14024 MITRE NVD |
CVE Title: Chromium: CVE-2026-14024 Use after free in Ozone
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:04     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14024 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14024 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14027 MITRE NVD |
CVE Title: Chromium: CVE-2026-14027 Use after free in SignIn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:47     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14027 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14027 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14031 MITRE NVD |
CVE Title: Chromium: CVE-2026-14031 Incorrect security UI in File Input
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:10     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14031 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14031 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14032 MITRE NVD |
CVE Title: Chromium: CVE-2026-14032 Use after free in Bluetooth
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:11     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14032 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14032 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14030 MITRE NVD |
CVE Title: Chromium: CVE-2026-14030 Incorrect security UI in SplitView
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:09     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14030 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14030 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14034 MITRE NVD |
CVE Title: Chromium: CVE-2026-14034 Inappropriate implementation in WebXR
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:14     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14034 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14034 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14033 MITRE NVD |
CVE Title: Chromium: CVE-2026-14033 Insufficient policy enforcement in Media
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:12     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14033 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14033 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14035 MITRE NVD |
CVE Title: Chromium: CVE-2026-14035 Insufficient policy enforcement in Bluetooth
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:15     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14035 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14035 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14036 MITRE NVD |
CVE Title: Chromium: CVE-2026-14036 Insufficient policy enforcement in Bluetooth
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:16     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14036 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14036 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14038 MITRE NVD |
CVE Title: Chromium: CVE-2026-14038 Insufficient validation of untrusted input in New Tab Page
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:18     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14038 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14038 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14039 MITRE NVD |
CVE Title: Chromium: CVE-2026-14039 Insufficient policy enforcement in GetUserMedia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:48     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14039 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14039 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14037 MITRE NVD |
CVE Title: Chromium: CVE-2026-14037 Insufficient policy enforcement in GPU
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:17     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14037 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14037 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14040 MITRE NVD |
CVE Title: Chromium: CVE-2026-14040 Use after free in BrowserTag
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:21     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14040 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14040 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14042 MITRE NVD |
CVE Title: Chromium: CVE-2026-14042 Inappropriate implementation in Isolated Web Apps
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:23     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14042 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14042 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14041 MITRE NVD |
CVE Title: Chromium: CVE-2026-14041 Insufficient policy enforcement in Serial
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:22     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14041 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14041 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14043 MITRE NVD |
CVE Title: Chromium: CVE-2026-14043 Use after free in GetUserMedia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:24     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14043 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14043 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14044 MITRE NVD |
CVE Title: Chromium: CVE-2026-14044 Use after free in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:25     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14044 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14044 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14045 MITRE NVD |
CVE Title: Chromium: CVE-2026-14045 Insufficient validation of untrusted input in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:27     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14045 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14045 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14046 MITRE NVD |
CVE Title: Chromium: CVE-2026-14046 Inappropriate implementation in CustomTabs
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:28     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14046 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14046 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14047 MITRE NVD |
CVE Title: Chromium: CVE-2026-14047 Insufficient policy enforcement in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:29     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14047 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14047 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14048 MITRE NVD |
CVE Title: Chromium: CVE-2026-14048 Use after free in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:30     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14048 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14048 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14049 MITRE NVD |
CVE Title: Chromium: CVE-2026-14049 Inappropriate implementation in GPU
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:49     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14049 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14049 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14050 MITRE NVD |
CVE Title: Chromium: CVE-2026-14050 Insufficient policy enforcement in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:33     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14050 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14050 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14051 MITRE NVD |
CVE Title: Chromium: CVE-2026-14051 Uninitialized Use in GamepadAPI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:34     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14051 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14051 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14052 MITRE NVD |
CVE Title: Chromium: CVE-2026-14052 Insufficient policy enforcement in FileSystem
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:35     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14052 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14052 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14055 MITRE NVD |
CVE Title: Chromium: CVE-2026-14055 Insufficient validation of untrusted input in Device Trust
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:39     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14055 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14055 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14053 MITRE NVD |
CVE Title: Chromium: CVE-2026-14053 Insufficient policy enforcement in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:36     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14053 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14053 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14056 MITRE NVD |
CVE Title: Chromium: CVE-2026-14056 Insufficient validation of untrusted input in Media
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:40     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14056 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14056 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14054 MITRE NVD |
CVE Title: Chromium: CVE-2026-14054 Insufficient policy enforcement in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:38     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14054 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14054 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14057 MITRE NVD |
CVE Title: Chromium: CVE-2026-14057 Insufficient policy enforcement in FedCM
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:41     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14057 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14057 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14058 MITRE NVD |
CVE Title: Chromium: CVE-2026-14058 Policy bypass in Parser
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:42     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14058 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14058 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14060 MITRE NVD |
CVE Title: Chromium: CVE-2026-14060 Insufficient validation of untrusted input in Chromoting
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:45     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14060 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14060 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14062 MITRE NVD |
CVE Title: Chromium: CVE-2026-14062 Inappropriate implementation in Views
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:47     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14062 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14062 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14059 MITRE NVD |
CVE Title: Chromium: CVE-2026-14059 Insufficient policy enforcement in Related-Website-Sets
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:50     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14059 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14059 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14061 MITRE NVD |
CVE Title: Chromium: CVE-2026-14061 Inappropriate implementation in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:46     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14061 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14061 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14063 MITRE NVD |
CVE Title: Chromium: CVE-2026-14063 Out of bounds memory access in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:48     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14063 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14063 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14064 MITRE NVD |
CVE Title: Chromium: CVE-2026-14064 Use after free in PageInfo
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:50     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14064 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14064 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14065 MITRE NVD |
CVE Title: Chromium: CVE-2026-14065 Insufficient validation of untrusted input in PageInfo
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:51     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14065 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14065 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14068 MITRE NVD |
CVE Title: Chromium: CVE-2026-14068 Inappropriate implementation in Omnibox
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:52     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14068 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14068 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14026 MITRE NVD |
CVE Title: Chromium: CVE-2026-14026 Incorrect security UI in SplitView
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:06     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14026 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14026 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14069 MITRE NVD |
CVE Title: Chromium: CVE-2026-14069 Integer overflow in WebNN
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14069 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14069 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14070 MITRE NVD |
CVE Title: Chromium: CVE-2026-14070 Uninitialized Use in WebNN
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:54     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14070 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14070 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14072 MITRE NVD |
CVE Title: Chromium: CVE-2026-14072 Incorrect security UI in SplitView
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:57     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14072 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14072 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14071 MITRE NVD |
CVE Title: Chromium: CVE-2026-14071 Side-channel information leakage in WebAudio
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:51     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14071 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14071 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14073 MITRE NVD |
CVE Title: Chromium: CVE-2026-14073 Insufficient policy enforcement in WebXR
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:58     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14073 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14073 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14076 MITRE NVD |
CVE Title: Chromium: CVE-2026-14076 Policy bypass in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:01     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14076 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14076 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14077 MITRE NVD |
CVE Title: Chromium: CVE-2026-14077 Incorrect security UI in Select
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:02     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14077 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14077 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14078 MITRE NVD |
CVE Title: Chromium: CVE-2026-14078 Policy bypass in WebRTC
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:03     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14078 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14078 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14079 MITRE NVD |
CVE Title: Chromium: CVE-2026-14079 Policy bypass in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:04     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14079 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14079 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14081 MITRE NVD |
CVE Title: Chromium: CVE-2026-14081 Insufficient policy enforcement in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:07     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14081 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14081 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14080 MITRE NVD |
CVE Title: Chromium: CVE-2026-14080 Insufficient validation of untrusted input in TabSwitcher
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:05     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14080 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14080 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14082 MITRE NVD |
CVE Title: Chromium: CVE-2026-14082 Race in Storage
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14082 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14082 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14074 MITRE NVD |
CVE Title: Chromium: CVE-2026-14074 Side-channel information leakage in WebAuthentication
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14074 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14074 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14083 MITRE NVD |
CVE Title: Chromium: CVE-2026-14083 Insufficient validation of untrusted input in HTML
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:09     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14083 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14083 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14084 MITRE NVD |
CVE Title: Chromium: CVE-2026-14084 Insufficient validation of untrusted input in Chromoting
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:10     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14084 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14084 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14085 MITRE NVD |
CVE Title: Chromium: CVE-2026-14085 Side-channel information leakage in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:11     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14085 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14085 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14086 MITRE NVD |
CVE Title: Chromium: CVE-2026-14086 Insufficient policy enforcement in HID
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:12     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14086 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14086 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14087 MITRE NVD |
CVE Title: Chromium: CVE-2026-14087 Insufficient validation of untrusted input in WebNN
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:14     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14087 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14087 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14089 MITRE NVD |
CVE Title: Chromium: CVE-2026-14089 Insufficient validation of untrusted input in PopupBlocker
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:16     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14089 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14089 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14088 MITRE NVD |
CVE Title: Chromium: CVE-2026-14088 Uninitialized Use in Canvas
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:15     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14088 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14088 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14090 MITRE NVD |
CVE Title: Chromium: CVE-2026-14090 Out of bounds read in CameraCapture
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T00:29:17     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14090 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14090 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14092 MITRE NVD |
CVE Title: Chromium: CVE-2026-14092 Insufficient policy enforcement in Privacy
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:54     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14092 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14092 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14095 MITRE NVD |
CVE Title: Chromium: CVE-2026-14095 Insufficient validation of untrusted input in Browser
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:23     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14095 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14095 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14093 MITRE NVD |
CVE Title: Chromium: CVE-2026-14093 Use after free in Cast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:21     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14093 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14093 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14094 MITRE NVD |
CVE Title: Chromium: CVE-2026-14094 Use after free in Installer
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:22     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14094 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14094 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14097 MITRE NVD |
CVE Title: Chromium: CVE-2026-14097 Inappropriate implementation in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:24     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14097 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14097 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14100 MITRE NVD |
CVE Title: Chromium: CVE-2026-14100 Insufficient data validation in NetworkCache
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:27     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14100 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14100 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14102 MITRE NVD |
CVE Title: Chromium: CVE-2026-14102 Use after free in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:28     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14102 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14102 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14104 MITRE NVD |
CVE Title: Chromium: CVE-2026-14104 Insufficient validation of untrusted input in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:30     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14104 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14104 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14103 MITRE NVD |
CVE Title: Chromium: CVE-2026-14103 Use after free in SSL
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:29     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14103 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14103 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14098 MITRE NVD |
CVE Title: Chromium: CVE-2026-14098 Inappropriate implementation in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:26     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14098 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14098 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14105 MITRE NVD |
CVE Title: Chromium: CVE-2026-14105 Insufficient policy enforcement in Speech
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:55     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14105 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14105 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14106 MITRE NVD |
CVE Title: Chromium: CVE-2026-14106 Insufficient validation of untrusted input in Text
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:33     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14106 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14106 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14091 MITRE NVD |
CVE Title: Chromium: CVE-2026-14091 Use after free in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:19     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14091 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14091 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14107 MITRE NVD |
CVE Title: Chromium: CVE-2026-14107 Use after free in Scheduling
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:34     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14107 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14107 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14108 MITRE NVD |
CVE Title: Chromium: CVE-2026-14108 Use after free in PDFium
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:35     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14108 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14108 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14109 MITRE NVD |
CVE Title: Chromium: CVE-2026-14109 Insufficient policy enforcement in Mojo
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:36     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14109 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14109 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14110 MITRE NVD |
CVE Title: Chromium: CVE-2026-14110 Inappropriate implementation in DarkMode
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:38     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14110 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14110 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14111 MITRE NVD |
CVE Title: Chromium: CVE-2026-14111 Use after free in WebProtect
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:39     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14111 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14111 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14113 MITRE NVD |
CVE Title: Chromium: CVE-2026-14113 Use after free in Updater
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:41     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14113 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14113 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14115 MITRE NVD |
CVE Title: Chromium: CVE-2026-14115 Insufficient validation of untrusted input in Cast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:43     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14115 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14115 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14112 MITRE NVD |
CVE Title: Chromium: CVE-2026-14112 Inappropriate implementation in Enterprise
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:40     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14112 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14112 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14117 MITRE NVD |
CVE Title: Chromium: CVE-2026-14117 Insufficient validation of untrusted input in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:46     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14117 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14117 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14118 MITRE NVD |
CVE Title: Chromium: CVE-2026-14118 Insufficient data validation in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:47     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14118 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14118 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14119 MITRE NVD |
CVE Title: Chromium: CVE-2026-14119 Type Confusion in Bluetooth
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:48     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14119 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14119 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14120 MITRE NVD |
CVE Title: Chromium: CVE-2026-14120 Inappropriate implementation in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:49     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14120 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14120 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14116 MITRE NVD |
CVE Title: Chromium: CVE-2026-14116 Insufficient validation of untrusted input in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:56     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14116 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14116 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14121 MITRE NVD |
CVE Title: Chromium: CVE-2026-14121 Use after free in Chromoting
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:51     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14121 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14121 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14124 MITRE NVD |
CVE Title: Chromium: CVE-2026-14124 Inappropriate implementation in CredentialProvider
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14124 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14124 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14125 MITRE NVD |
CVE Title: Chromium: CVE-2026-14125 Uninitialized Use in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:54     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14125 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14125 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14122 MITRE NVD |
CVE Title: Chromium: CVE-2026-14122 Insufficient validation of untrusted input in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:52     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14122 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14122 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14127 MITRE NVD |
CVE Title: Chromium: CVE-2026-14127 Inappropriate implementation in Printing
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:55     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14127 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14127 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14129 MITRE NVD |
CVE Title: Chromium: CVE-2026-14129 Incorrect security UI in PreviewTab
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:57     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14129 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14129 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14130 MITRE NVD |
CVE Title: Chromium: CVE-2026-14130 Incorrect security UI in Omnibox
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:58     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14130 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14130 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14133 MITRE NVD |
CVE Title: Chromium: CVE-2026-14133 Race in History Embeddings
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:02     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14133 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14133 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14131 MITRE NVD |
CVE Title: Chromium: CVE-2026-14131 Insufficient validation of untrusted input in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:59     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14131 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14131 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14132 MITRE NVD |
CVE Title: Chromium: CVE-2026-14132 Inappropriate implementation in WebXR
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:01     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14132 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14132 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14134 MITRE NVD |
CVE Title: Chromium: CVE-2026-14134 Inappropriate implementation in Autofill
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:03     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14134 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14134 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14139 MITRE NVD |
CVE Title: Chromium: CVE-2026-14139 Inappropriate implementation in TabStrip
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:07     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14139 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14139 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14140 MITRE NVD |
CVE Title: Chromium: CVE-2026-14140 Insufficient validation of untrusted input in Input
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:08     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14140 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14140 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14141 MITRE NVD |
CVE Title: Chromium: CVE-2026-14141 Incorrect security UI in Document Picture-in-Picture
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:09     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14141 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14141 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14142 MITRE NVD |
CVE Title: Chromium: CVE-2026-14142 Inappropriate implementation in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:59     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14142 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14142 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14135 MITRE NVD |
CVE Title: Chromium: CVE-2026-14135 Insufficient validation of untrusted input in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:04     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14135 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14135 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14138 MITRE NVD |
CVE Title: Chromium: CVE-2026-14138 Inappropriate implementation in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:05     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14138 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14138 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14144 MITRE NVD |
CVE Title: Chromium: CVE-2026-14144 Incorrect security UI in Views
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:13     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14144 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14144 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14143 MITRE NVD |
CVE Title: Chromium: CVE-2026-14143 Incorrect security UI in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:11     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14143 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14143 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14145 MITRE NVD |
CVE Title: Chromium: CVE-2026-14145 Inappropriate implementation in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:14     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14145 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14145 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14146 MITRE NVD |
CVE Title: Chromium: CVE-2026-14146 Inappropriate implementation in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:15     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14146 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14146 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14148 MITRE NVD |
CVE Title: Chromium: CVE-2026-14148 Type Confusion in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:17     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14148 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14148 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14147 MITRE NVD |
CVE Title: Chromium: CVE-2026-14147 Inappropriate implementation in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:16     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14147 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14147 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14152 MITRE NVD |
CVE Title: Chromium: CVE-2026-14152 Out of bounds write in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:22     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14152 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14152 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14150 MITRE NVD |
CVE Title: Chromium: CVE-2026-14150 Insufficient validation of untrusted input in Speech
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:20     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14150 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14150 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14149 MITRE NVD |
CVE Title: Chromium: CVE-2026-14149 Use after free in Audio
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:19     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14149 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14149 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14151 MITRE NVD |
CVE Title: Chromium: CVE-2026-14151 Inappropriate implementation in AI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:21     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14151 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14151 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14155 MITRE NVD |
CVE Title: Chromium: CVE-2026-14155 Insufficient policy enforcement in StorageAccessAPI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:26     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14155 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14155 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14153 MITRE NVD |
CVE Title: Chromium: CVE-2026-14153 Inappropriate implementation in Glic
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14153 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14153 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14154 MITRE NVD |
CVE Title: Chromium: CVE-2026-14154 Inappropriate implementation in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:25     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14154 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14154 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14156 MITRE NVD |
CVE Title: Chromium: CVE-2026-14156 Policy bypass in StorageAccessAPI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:28     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14156 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14156 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13961 MITRE NVD |
CVE Title: Chromium: CVE-2026-13961 Insufficient validation of untrusted input in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:40     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13961 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13961 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13774 MITRE NVD |
CVE Title: Chromium: CVE-2026-13774 Use after free in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:01     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13774 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13774 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58601 MITRE NVD |
CVE Title: Virtual Hard Disk (VHD) Miniport Driver Elevation of Privilege Vulernability
Description: Heap-based buffer overflow in Virtual Hard Disk (VHD) Miniport Driver allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58601 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 (Server Core installation) | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58601 | Daejin Lee sweetchip Seung Chan Kim Nguyễn Đăng Nguyễn (@MochiNishimiya) with STAR Labs SG Pte. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58602 MITRE NVD |
CVE Title: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel Mode Driver allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58602 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58602 | Angelboy (@scwuaptx) with DEVCORE |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58608 MITRE NVD |
CVE Title: Windows Print Spooler Remote Code Execution Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Print Spooler Components allows an authorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by interacting with the Windows Print Spooler service in a way that causes it to use memory that has already been freed. By creating and then closing a printer handle without properly invalidating a related notification handle, the attacker can trigger this condition and potentially run code on the affected system. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58608 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58608 | Orange Tsai (@orange_8361) with DEVCORE |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58609 MITRE NVD |
CVE Title: Windows Graphics Component Remote Code Execution Vulnerability
Description: Out-of-bounds read in Microsoft Graphics Component allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58609 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58609 | Thanatos Tian (HKPolyU) & npc0vo & @2st__ with Diffract |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58610 MITRE NVD |
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58610 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58610 | yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58614 MITRE NVD |
CVE Title: Windows Kernel Security Feature Bypass Vulnerability
Description: Out-of-bounds read in Windows Kernel allows an authorized attacker to bypass a security feature locally. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? This vulnerability could allow an attacker to bypass an access control mechanism that is designed to restrict a sensitive debugging interface to administrators only. By bypassing this check, a standard authenticated user could gain unauthorized access to functionality that is intended to be limited to highly privileged users, weakening protections that enforce administrative boundaries on debugging capabilities. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58614 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58614 | Aman Gupta |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58618 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58618 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-58618 | f4 & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58631 MITRE NVD |
CVE Title: Windows Admin Center (WAC) Remote Code Execution Vulnerability
Description: Improper authorization in Windows Admin Center allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58631 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Admin Center | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58631 | Batuhan Er with HawkTrace |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58635 MITRE NVD |
CVE Title: Windows Narrator Braille Elevation of Privilege Vulnerability
Description: Improper neutralization of special elements used in a command ('command injection') in Windows Narrator Braille allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could execute code in the security context of the “NT AUTHORITY\Network Service” account. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58635 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58635 | yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58636 MITRE NVD |
CVE Title: Microsoft PC Manager Elevation of Privilege Vulnerability
Description: Improper link resolution before file access ('link following') in Window PC Manager allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58636 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft PC Manager | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-58636 | .bat Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58640 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58640 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 (Server Core installation) | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58640 | Donghyeon Oh with Patchpoint Jonghoi Kim Sergey immortalp0ny Tarasov with Positive Technologies |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58644 MITRE NVD |
CVE Title: Microsoft SharePoint Remote Code Execution Vulnerability
Description: Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit the vulnerability? In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server. I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. 1.1    2026-07-14T07:00:00     The Patch for this issue was released but the CVE was inadvertently left out of the Patch Tuesday June 2026 release |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58644 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002880 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002874 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002873 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-58644 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58647 MITRE NVD |
CVE Title: Microsoft PowerBI Report Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Power BI allows an authorized attacker to perform spoofing over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58647 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Power BI Report Server | Release Notes (Security Update) | Important | Spoofing | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-58647 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13777 MITRE NVD |
CVE Title: Chromium: CVE-2026-13777 Insufficient validation of untrusted input in iOSWeb
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:58     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13777 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13777 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13778 MITRE NVD |
CVE Title: Chromium: CVE-2026-13778 Use after free in WebUSB
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:26     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13778 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13778 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13788 MITRE NVD |
CVE Title: Chromium: CVE-2026-13788 Use after free in Fullscreen
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:49     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13788 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13788 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13791 MITRE NVD |
CVE Title: Chromium: CVE-2026-13791 Insufficient validation of untrusted input in Downloads
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:29     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13791 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13791 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13795 MITRE NVD |
CVE Title: Chromium: CVE-2026-13795 Insufficient policy enforcement in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:59     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13795 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13795 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13785 MITRE NVD |
CVE Title: Chromium: CVE-2026-13785 Use after free in Bluetooth
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:28     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13785 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13785 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13805 MITRE NVD |
CVE Title: Chromium: CVE-2026-13805 Use after free in GFX
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:31     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13805 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13805 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13807 MITRE NVD |
CVE Title: Chromium: CVE-2026-13807 Use after free in Import
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:01     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13807 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13807 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13812 MITRE NVD |
CVE Title: Chromium: CVE-2026-13812 Insufficient validation of untrusted input in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:05     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13812 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13812 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13809 MITRE NVD |
CVE Title: Chromium: CVE-2026-13809 Side-channel information leakage in Safe Browsing
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:03     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13809 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13809 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13808 MITRE NVD |
CVE Title: Chromium: CVE-2026-13808 Insufficient data validation in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:02     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13808 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13808 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13816 MITRE NVD |
CVE Title: Chromium: CVE-2026-13816 Insufficient validation of untrusted input in File Input
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:50     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13816 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13816 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13813 MITRE NVD |
CVE Title: Chromium: CVE-2026-13813 Insufficient validation of untrusted input in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:06     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13813 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13813 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13825 MITRE NVD |
CVE Title: Chromium: CVE-2026-13825 Uninitialized Use in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13825 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13825 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13819 MITRE NVD |
CVE Title: Chromium: CVE-2026-13819 Out of bounds read in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:33     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13819 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13819 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13822 MITRE NVD |
CVE Title: Chromium: CVE-2026-13822 Inappropriate implementation in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:52     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13822 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13822 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13826 MITRE NVD |
CVE Title: Chromium: CVE-2026-13826 Inappropriate implementation in Autofill
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:54     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13826 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13826 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13827 MITRE NVD |
CVE Title: Chromium: CVE-2026-13827 Use after free in Updater
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:34     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13827 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13827 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13833 MITRE NVD |
CVE Title: Chromium: CVE-2026-13833 Uninitialized Use in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:35     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13833 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13833 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13843 MITRE NVD |
CVE Title: Chromium: CVE-2026-13843 Insufficient validation of untrusted input in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:09     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13843 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13843 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13842 MITRE NVD |
CVE Title: Chromium: CVE-2026-13842 Incorrect security UI in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:07     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13842 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13842 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13846 MITRE NVD |
CVE Title: Chromium: CVE-2026-13846 Use after free in USB
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:37     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13846 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13846 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13847 MITRE NVD |
CVE Title: Chromium: CVE-2026-13847 Insufficient validation of untrusted input in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:10     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13847 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13847 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13792 MITRE NVD |
CVE Title: Chromium: CVE-2026-13792 Use after free in Touchbar
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:30     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13792 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13792 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13851 MITRE NVD |
CVE Title: Chromium: CVE-2026-13851 Insufficient validation of untrusted input in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:56     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13851 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13851 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13852 MITRE NVD |
CVE Title: Chromium: CVE-2026-13852 Insufficient validation of untrusted input in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:57     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13852 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13852 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13850 MITRE NVD |
CVE Title: Chromium: CVE-2026-13850 Insufficient validation of untrusted input in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:11     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13850 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13850 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13856 MITRE NVD |
CVE Title: Chromium: CVE-2026-13856 Insufficient validation of untrusted input in Speech
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:58     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13856 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13856 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13862 MITRE NVD |
CVE Title: CVE-2026-13862
Description: CVE-2026-13862 FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:13     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13862 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13862 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13863 MITRE NVD |
CVE Title: Chromium: CVE-2026-13863 Insufficient validation of untrusted input in CustomTabs
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:00     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13863 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13863 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13866 MITRE NVD |
CVE Title: Chromium: CVE-2026-13866 Insufficient validation of untrusted input in Input
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:01     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13866 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13866 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13868 MITRE NVD |
CVE Title: Chromium: CVE-2026-13868 Inappropriate implementation in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:02     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13868 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13868 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13870 MITRE NVD |
CVE Title: Chromium: CVE-2026-13870 Use after free in WebView
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:04     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13870 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13870 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13878 MITRE NVD |
CVE Title: Chromium: CVE-2026-13878 Use after free in Bluetooth
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:38     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13878 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13878 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13872 MITRE NVD |
CVE Title: Chromium: CVE-2026-13872 Insufficient validation of untrusted input in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:05     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13872 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13872 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13880 MITRE NVD |
CVE Title: Chromium: CVE-2026-13880 Use after free in USB
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:39     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13880 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13880 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13885 MITRE NVD |
CVE Title: Chromium: CVE-2026-13885 Use after free in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:06     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13885 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13885 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13887 MITRE NVD |
CVE Title: Chromium: CVE-2026-13887 Insufficient policy enforcement in NFC
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:08     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13887 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13887 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13889 MITRE NVD |
CVE Title: Chromium: CVE-2026-13889 Insufficient validation of untrusted input in WebAuthentication
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:14     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13889 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13889 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13904 MITRE NVD |
CVE Title: Chromium: CVE-2026-13904 Incorrect security UI in Safe Browsing
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:18     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13904 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13904 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13892 MITRE NVD |
CVE Title: Chromium: CVE-2026-13892 Inappropriate implementation in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:15     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13892 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13892 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13902 MITRE NVD |
CVE Title: Chromium: CVE-2026-13902 Inappropriate implementation in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:16     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13902 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13902 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13905 MITRE NVD |
CVE Title: Chromium: CVE-2026-13905 Incorrect security UI in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:19     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13905 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13905 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13914 MITRE NVD |
CVE Title: Chromium: CVE-2026-13914 Inappropriate implementation in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:40     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13914 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13914 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13907 MITRE NVD |
CVE Title: Chromium: CVE-2026-13907 Inappropriate implementation in iOSWeb
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:20     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13907 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13907 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13912 MITRE NVD |
CVE Title: Chromium: CVE-2026-13912 Incorrect security UI in Safe Browsing
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:23     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13912 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13912 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13910 MITRE NVD |
CVE Title: Chromium: CVE-2026-13910 Insufficient policy enforcement in WebXR
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:09     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13910 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13910 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13913 MITRE NVD |
CVE Title: Chromium: CVE-2026-13913 Insufficient policy enforcement in Autofill
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:24     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13913 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13913 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13908 MITRE NVD |
CVE Title: Chromium: CVE-2026-13908 Insufficient validation of untrusted input in Omnibox
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:22     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13908 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13908 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13916 MITRE NVD |
CVE Title: Chromium: CVE-2026-13916 Inappropriate implementation in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:27     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13916 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13916 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13915 MITRE NVD |
CVE Title: Chromium: CVE-2026-13915 Use after free in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:26     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13915 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13915 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13917 MITRE NVD |
CVE Title: Chromium: CVE-2026-13917 Insufficient validation of untrusted input in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:28     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13917 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13917 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13923 MITRE NVD |
CVE Title: Chromium: CVE-2026-13923 Uninitialized Use in GPU
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:10     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13923 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13923 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13926 MITRE NVD |
CVE Title: Chromium: CVE-2026-13926 Insufficient validation of untrusted input in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:13     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13926 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13926 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13918 MITRE NVD |
CVE Title: Chromium: CVE-2026-13918 Use after free in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:29     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13918 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13918 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13924 MITRE NVD |
CVE Title: Chromium: CVE-2026-13924 Insufficient validation of untrusted input in WebView
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:12     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13924 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13924 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13929 MITRE NVD |
CVE Title: Chromium: CVE-2026-13929 Insufficient validation of untrusted input in DevTools
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:15     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13929 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13929 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13932 MITRE NVD |
CVE Title: Chromium: CVE-2026-13932 Inappropriate implementation in Sharing
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:17     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13932 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13932 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13936 MITRE NVD |
CVE Title: Chromium: CVE-2026-13936 Inappropriate implementation in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:18     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13936 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13936 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13943 MITRE NVD |
CVE Title: Chromium: CVE-2026-13943 Uninitialized Use in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:21     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13943 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13943 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13939 MITRE NVD |
CVE Title: Chromium: CVE-2026-13939 Insufficient validation of untrusted input in WebShare
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:19     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13939 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13939 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13944 MITRE NVD |
CVE Title: Chromium: CVE-2026-13944 Inappropriate implementation in DataTransfer
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:42     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13944 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13944 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13946 MITRE NVD |
CVE Title: Chromium: CVE-2026-13946 Inappropriate implementation in ScriptInjections
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:31     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13946 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13946 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13949 MITRE NVD |
CVE Title: Chromium: CVE-2026-13949 Insufficient policy enforcement in Payments
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:22     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13949 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13949 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13955 MITRE NVD |
CVE Title: Chromium: CVE-2026-13955 Insufficient validation of untrusted input in CustomTabs
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:23     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13955 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13955 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13927 MITRE NVD |
CVE Title: Chromium: CVE-2026-13927 Insufficient validation of untrusted input in UI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:14     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13927 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13927 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13964 MITRE NVD |
CVE Title: Chromium: CVE-2026-13964 Insufficient policy enforcement in WebView
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:24     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13964 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13964 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13969 MITRE NVD |
CVE Title: Chromium: CVE-2026-13969 Uninitialized Use in UI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:26     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13969 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13969 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13975 MITRE NVD |
CVE Title: Chromium: CVE-2026-13975 Out of bounds read in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:44     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13975 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13975 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13974 MITRE NVD |
CVE Title: Chromium: CVE-2026-13974 Integer overflow in Safe Browsing
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:43     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13974 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13974 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13981 MITRE NVD |
CVE Title: Chromium: CVE-2026-13981 Inappropriate implementation in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:33     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13981 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13981 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13980 MITRE NVD |
CVE Title: Chromium: CVE-2026-13980 Incorrect security UI in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:32     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13980 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13980 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13987 MITRE NVD |
CVE Title: Chromium: CVE-2026-13987 Incorrect security UI in Mobile
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:27     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13987 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13987 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13991 MITRE NVD |
CVE Title: Chromium: CVE-2026-13991 Insufficient validation of untrusted input in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:36     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13991 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13991 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13992 MITRE NVD |
CVE Title: Chromium: CVE-2026-13992 Inappropriate implementation in UI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:46     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13992 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13992 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13994 MITRE NVD |
CVE Title: Chromium: CVE-2026-13994 Inappropriate implementation in Credential Management
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:28     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13994 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13994 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13995 MITRE NVD |
CVE Title: Chromium: CVE-2026-13995 Insufficient validation of untrusted input in Autofill
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:29     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13995 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13995 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13983 MITRE NVD |
CVE Title: Chromium: CVE-2026-13983 Incorrect security UI in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:34     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13983 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13983 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13997 MITRE NVD |
CVE Title: Chromium: CVE-2026-13997 Incorrect security UI in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:31     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13997 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13997 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13998 MITRE NVD |
CVE Title: Chromium: CVE-2026-13998 Incorrect security UI in File Input
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:47     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13998 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13998 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14005 MITRE NVD |
CVE Title: Chromium: CVE-2026-14005 Use after free in Omnibox
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:32     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14005 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14005 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14028 MITRE NVD |
CVE Title: Chromium: CVE-2026-14028 Incorrect security UI in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:37     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14028 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14028 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14066 MITRE NVD |
CVE Title: Chromium: CVE-2026-14066 Insufficient validation of untrusted input in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:38     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14066 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14066 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14067 MITRE NVD |
CVE Title: Chromium: CVE-2026-14067 Use after free in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:40     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14067 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14067 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14075 MITRE NVD |
CVE Title: Chromium: CVE-2026-14075 Policy bypass in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:41     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14075 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14075 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14096 MITRE NVD |
CVE Title: Chromium: CVE-2026-14096 Object lifecycle issue in Input
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:33     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14096 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14096 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14099 MITRE NVD |
CVE Title: Chromium: CVE-2026-14099 Use after free in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:43     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14099 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14099 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14101 MITRE NVD |
CVE Title: Chromium: CVE-2026-14101 Insufficient policy enforcement in Sandbox
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:49     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14101 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14101 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14114 MITRE NVD |
CVE Title: Chromium: CVE-2026-14114 Inappropriate implementation in WebAppInstalls
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:35     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14114 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14114 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14123 MITRE NVD |
CVE Title: Chromium: CVE-2026-14123 Incorrect security UI in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:44     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14123 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14123 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14126 MITRE NVD |
CVE Title: Chromium: CVE-2026-14126 Incorrect security UI in UI
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:36     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14126 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14126 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14128 MITRE NVD |
CVE Title: Chromium: CVE-2026-14128 Insufficient data validation in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:45     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14128 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14128 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14136 MITRE NVD |
CVE Title: Chromium: CVE-2026-14136 Incorrect security UI in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:46     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14136 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14136 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14385 MITRE NVD |
CVE Title: Chromium: CVE-2026-14385 Heap buffer overflow in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:50     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14385 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14385 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14137 MITRE NVD |
CVE Title: Chromium: CVE-2026-14137 Insufficient validation of untrusted input in Chrome for iOS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:40:48     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14137 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14137 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14382 MITRE NVD |
CVE Title: Chromium: CVE-2026-14382 Insufficient validation of untrusted input in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:37     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14382 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14382 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14386 MITRE NVD |
CVE Title: Chromium: CVE-2026-14386 Out of bounds read in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:52     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14386 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14386 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14388 MITRE NVD |
CVE Title: Chromium: CVE-2026-14388 Out of bounds read in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:22     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14388 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14388 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14390 MITRE NVD |
CVE Title: Chromium: CVE-2026-14390 Use after free in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:31     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14390 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14390 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14392 MITRE NVD |
CVE Title: Chromium: CVE-2026-14392 Out of bounds write in Tint
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:36     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14392 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14392 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14393 MITRE NVD |
CVE Title: Chromium: CVE-2026-14393 Use after free in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:37     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14393 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14393 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14391 MITRE NVD |
CVE Title: Chromium: CVE-2026-14391 Integer overflow in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:35     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14391 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14391 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14395 MITRE NVD |
CVE Title: Chromium: CVE-2026-14395 Out of bounds write in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:40     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14395 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14395 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14396 MITRE NVD |
CVE Title: Chromium: CVE-2026-14396 Out of bounds read in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14396 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14396 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14394 MITRE NVD |
CVE Title: Chromium: CVE-2026-14394 Use after free in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:39     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14394 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14394 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14398 MITRE NVD |
CVE Title: Chromium: CVE-2026-14398 Use after free in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:41     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14398 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14398 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14397 MITRE NVD |
CVE Title: Chromium: CVE-2026-14397 Out of bounds write in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:54     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14397 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14397 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14399 MITRE NVD |
CVE Title: Chromium: CVE-2026-14399 Uninitialized Use in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:43     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14399 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14399 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14401 MITRE NVD |
CVE Title: Chromium: CVE-2026-14401 Insufficient validation of untrusted input in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:23     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14401 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14401 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14400 MITRE NVD |
CVE Title: Chromium: CVE-2026-14400 Out of bounds write in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:44     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14400 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14400 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14403 MITRE NVD |
CVE Title: Chromium: CVE-2026-14403 Use after free in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:47     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14403 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14403 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14406 MITRE NVD |
CVE Title: Chromium: CVE-2026-14406 Out of bounds read in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:51     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14406 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14406 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14404 MITRE NVD |
CVE Title: Chromium: CVE-2026-14404 Inappropriate implementation in PDFium
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:48     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14404 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14404 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14402 MITRE NVD |
CVE Title: Chromium: CVE-2026-14402 Uninitialized Use in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:45     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14402 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14402 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14405 MITRE NVD |
CVE Title: Chromium: CVE-2026-14405 Uninitialized Use in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:50     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14405 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14405 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14407 MITRE NVD |
CVE Title: Chromium: CVE-2026-14407 Inappropriate implementation in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:53     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14407 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14407 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14409 MITRE NVD |
CVE Title: Chromium: CVE-2026-14409 Inappropriate implementation in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:55     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14409 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14409 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14408 MITRE NVD |
CVE Title: Chromium: CVE-2026-14408 Uninitialized Use in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:54     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14408 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14408 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14411 MITRE NVD |
CVE Title: Chromium: CVE-2026-14411 Insufficient validation of untrusted input in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:57     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14411 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14411 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14410 MITRE NVD |
CVE Title: Chromium: CVE-2026-14410 Inappropriate implementation in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:56     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14410 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14410 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14412 MITRE NVD |
CVE Title: Chromium: CVE-2026-14412 Insufficient validation of untrusted input in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:37:59     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14412 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14412 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14413 MITRE NVD |
CVE Title: Chromium: CVE-2026-14413 Uninitialized Use in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:00     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14413 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14413 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14414 MITRE NVD |
CVE Title: Chromium: CVE-2026-14414 Insufficient validation of untrusted input in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:02     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14414 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14414 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14415 MITRE NVD |
CVE Title: Chromium: CVE-2026-14415 Inappropriate implementation in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:03     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14415 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14415 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14416 MITRE NVD |
CVE Title: Chromium: CVE-2026-14416 Out of bounds read in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:04     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14416 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14416 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14417 MITRE NVD |
CVE Title: Chromium: CVE-2026-14417 Use after free in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:05     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14417 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14417 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14420 MITRE NVD |
CVE Title: Chromium: CVE-2026-14420 Out of bounds read and write in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:09     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14420 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14420 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14418 MITRE NVD |
CVE Title: Chromium: CVE-2026-14418 Uninitialized Use in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:07     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14418 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14418 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14419 MITRE NVD |
CVE Title: Chromium: CVE-2026-14419 Use after free in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:08     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14419 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14419 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14422 MITRE NVD |
CVE Title: Chromium: CVE-2026-14422 Out of bounds read and write in Tint
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:55     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14422 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14422 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14423 MITRE NVD |
CVE Title: Chromium: CVE-2026-14423 Type Confusion in Tint
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:10     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14423 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14423 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14421 MITRE NVD |
CVE Title: Chromium: CVE-2026-14421 Uninitialized Use in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:25     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14421 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14421 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14424 MITRE NVD |
CVE Title: Chromium: CVE-2026-14424 Use after free in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:39:57     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14424 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14424 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14425 MITRE NVD |
CVE Title: Chromium: CVE-2026-14425 Use after free in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:12     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14425 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14425 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14426 MITRE NVD |
CVE Title: Chromium: CVE-2026-14426 Use after free in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:13     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14426 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14426 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14427 MITRE NVD |
CVE Title: Chromium: CVE-2026-14427 Heap buffer overflow in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:14     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14427 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14427 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14428 MITRE NVD |
CVE Title: Chromium: CVE-2026-14428 Insufficient validation of untrusted input in Dawn
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:41:38     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14428 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14428 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14429 MITRE NVD |
CVE Title: Chromium: CVE-2026-14429 Insufficient validation of untrusted input in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:16     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14429 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14429 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14430 MITRE NVD |
CVE Title: Chromium: CVE-2026-14430 Integer overflow in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:17     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14430 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14430 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14432 MITRE NVD |
CVE Title: Chromium: CVE-2026-14432 Use after free in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:19     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14432 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14432 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-14431 MITRE NVD |
CVE Title: Chromium: CVE-2026-14431 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: What is the version information for this release?
Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T15:38:18     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14431 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14431 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50652 MITRE NVD |
CVE Title: Azure Active Directory Denial of Service Vulnerability
Description: Deserialization of untrusted data in Azure Active Directory allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50652 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure Active Directory | Release Notes (Security Update) Release Notes (Security Update) Release Notes (Security Update) |
Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50652 | Vandit Aruldas with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50653 MITRE NVD |
CVE Title: Azure Active Directory Denial of Service Vulnerability
Description: Loop with unreachable exit condition ('infinite loop') in Azure Active Directory allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50653 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure Active Directory | Release Notes (Security Update) Release Notes (Security Update) Release Notes (Security Update) |
Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50653 | Sridhar Periyasamy |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-33842 MITRE NVD |
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is an address from an object operating at a High Integrity Level in a contained ("sandboxed") execution environment. Please refer to AppContainer isolation and Mandatory Integrity Control for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-33842 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-33842 | David Zhu with Microsoft Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-34328 MITRE NVD |
CVE Title: Windows Audio Service Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Audio Service allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is memory addresses belonging to the "EventLog" Windows service Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-34328 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-34328 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-40422 MITRE NVD |
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows File Explorer allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is an address from an object operating at a High Integrity Level in a contained ("sandboxed") execution environment. Please refer to AppContainer isolation and Mandatory Integrity Control for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-40422 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-40422 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-41087 MITRE NVD |
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is an address from an object operating at a High Integrity Level in a contained ("sandboxed") execution environment. Please refer to AppContainer isolation and Mandatory Integrity Control for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-41087 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-41087 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-40400 MITRE NVD |
CVE Title: Windows PowerShell Remote Code Execution Vulnerability
Description: Relative path traversal in Windows PowerShell allows an authorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires an authenticated client to click a link so that an unauthenticated attacker can initiate remote code execution. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-40400 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-40400 | Quan Le from Unit 515 - OPSWAT Saif Shaker Peng Zhou (zpbrent) Anindya Roy Rayhan Destian Rayhan Destian Charlie Vogt Michael Monwuba with Microsoft MinhNV5 with MBBank PuH4ck3rX PuH4ck3rX with W&M YMsora Jishnu Sudhakaran Ky0toFu Povcfe Daniel R Anonymous TrendAI Zero Day Initiative TrendAI Zero Day Initiative Charlie Vogt |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-34348 MITRE NVD |
CVE Title: Windows Event Logging Service Information Disclosure Vulnerability
Description: Protection mechanism failure in Windows Event Logging Service allows an authorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-34348 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5089548 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-34348 | Michael Grafnetter with SpecterOps Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-44806 MITRE NVD |
CVE Title: Windows Secure Channel Denial of Service Vulnerability
Description: Missing release of memory after effective lifetime in Windows Cryptographic Services allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-44806 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-44806 | Anonymous Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-40378 MITRE NVD |
CVE Title: Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
Description: Memory allocation with excessive size value in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-40378 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-40378 | WARP & MORSE teams at Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-47304 MITRE NVD |
CVE Title: .NET Security Feature Bypass Vulnerability
Description: Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? The authentication feature could be bypassed as this vulnerability allows impersonation. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47304 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47304 | Levi Broderick |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-44800 MITRE NVD |
CVE Title: Windows Push Notifications Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? This vulnerability could lead to a contained execution environment escape. Please refer to AppContainer Isolation for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-44800 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-44800 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-47632 MITRE NVD |
CVE Title: Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability
Description: Improper certificate validation in Azure Monitor Agent allows an unauthorized attacker to elevate privileges over an adjacent network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain ELEVATED privileges, which may allow them to perform actions beyond their original permissions. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47632 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Azure Monitor Agent Metrics Extension | Release Notes (Security Update - Windows) Release Notes (Security Update - Linux) |
Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47632 | Gal Azaria with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-48564 MITRE NVD |
CVE Title: DHCP Server Service Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows DHCP Server allows an authorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An authenticated attacker could leverage a specially crafted RPC call to the DHCP service to exploit this vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-48564 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5094042 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5094042 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5094041 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5094041 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-48564 | Howard McGreehan with MSRC V&M WARP and ACS teams at Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-48581 MITRE NVD |
CVE Title: Surface Broker SDMA Elevation of Privilege Vulnerability
Description: Insufficient granularity of access control in Microsoft Surface allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. What actions do customers need to perform to be protected against this vulnerability? Surface devices get updates through Windows Update. See Surface update history for more information. If you wish to install the updates manually, you can do the following:
Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-48581 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Surface Go 2 | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Microsoft Surface Go 3 | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Microsoft Surface Hub | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Microsoft Surface Hub 2S | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Microsoft Surface Hub 3 | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Microsoft Surface Laptop Go | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Microsoft Surface Laptop Go 2 | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Microsoft Surface Laptop Go 3 | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Microsoft Surface Pro 7+ | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Microsoft Surface Pro 8 | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Surface Laptop 4 with AMD Processor | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Surface Laptop 4 with Intel Processor | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| Surface Windows Dev Kit | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-48581 | JC with Splinters.io |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-45646 MITRE NVD |
CVE Title: OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability
Description: Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-45646 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft.AspNet.OData | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft.AspNetCore.OData | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-45646 | Anonymous Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49178 MITRE NVD |
CVE Title: Windows Active Directory Domain Services Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Active Directory Domain Services allows an authorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? A domain‑authenticated attacker with access to the NSPI RPC interface can provide crafted inputs that trigger an out‑of‑bounds write in the directory service process, leading to memory corruption/remote code execution. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. How could an attacker exploit the vulnerability? An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49178 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49178 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49180 MITRE NVD |
CVE Title: Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability
Description: Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file content. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49180 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49180 | Siva Jyoshna Poreddy |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49181 MITRE NVD |
CVE Title: Windows DHCP Client Elevation of Privilege Vulnerability
Description: Integer underflow (wrap or wraparound) in Windows DHCP Client allows an unauthorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49181 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49181 | Jay Ladhad with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49184 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49184 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49184 | pwn2addr 0rb1t with None Qanux with None Donghyeon Oh with Patchpoint Jonghoi Kim Anonymous Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract yhw & txz Anonymous Minjea Park with Stealien R4nger with Kunlun Lab & Zhiniang Peng with HUST Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49183 MITRE NVD |
CVE Title: Windows Clipboard Server Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Clipboard Server allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49183 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49183 | Jongseong Kim (nevul37), SEC-agent team Hwiwon Lee (hwiwonl), SEC-agent team Younggi Park (grill66), SEC-agent team Pwnforr777 Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49783 MITRE NVD |
CVE Title: Secure Boot Security Feature Bypass Vulnerability
Description: Improperly implemented security check for standard in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker who successfully exploited this vulnerability could bypass Secure Boot. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49783 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49783 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49787 MITRE NVD |
CVE Title: HTTP.sys Denial of Service Vulnerability
Description: Allocation of resources without limits or throttling in Windows HTTP.sys allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49787 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49787 | Miha Zupan with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49788 MITRE NVD |
CVE Title: HTTP/2 Denial of Service Vulnerability
Description: Allocation of resources without limits or throttling in HTTP/2 allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49788 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49788 | Miha Zupan with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49789 MITRE NVD |
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description: Stack-based buffer overflow in Windows NTFS allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49789 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49789 | Thanatos Tian (HKPolyu) & wgg & @2st__ with Diffract R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49790 MITRE NVD |
CVE Title: Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49790 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49790 | Thanatos Tian (HKPolyU) & npc0vo & wgg & PB18 & @2st__ with Diffract Hank Chen with InnoEdge Labs |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49791 MITRE NVD |
CVE Title: Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability
Description: Improper link resolution before file access ('link following') in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49791 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49791 | BochengXiang(@Crispr) with FDU |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49792 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description: Numeric truncation error in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49792 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49792 | Dewang Ahluwalia Jonghoi Kim Donghyeon Oh with Patchpoint |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49793 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49793 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49793 | Dewang Ahluwalia |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49794 MITRE NVD |
CVE Title: Windows USB Audio Class Driver Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could obtain limited memory-related information, specifically a heap address returned by the affected service. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49794 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49794 | Seung Chan Kim Donghyeon Oh with Patchpoint Jonghoi Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49796 MITRE NVD |
CVE Title: Windows GDI+ Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49796 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49796 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49795 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49795 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49795 | Kentaro Kawane with GMO Cybersecurity by Ierae, Inc. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49797 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49797 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49797 | Thanatos Tian & wgg & @2st__ with Diffract |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49798 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. How could an attacker exploit this vulnerability? An attacker could run a specially crafted program on a local system that triggers the vulnerable function while a menu is being processed, causing the system to use memory that has already been freed. This can result in memory corruption, which an attacker may use to run malicious code. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49798 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 9.3 Temporal: 8.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49798 | Anonymous Jongseong Kim (nevul37), SEC-agent team Hwiwon Lee (hwiwonl), SEC-agent team Younggi Park (grill66), SEC-agent team Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50299 MITRE NVD |
CVE Title: Windows Storage Spaces Direct Remote Code Execution Vulnerability
Description: Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50299 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50299 | Anonymous Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49800 MITRE NVD |
CVE Title: Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability
Description: Integer overflow or wraparound in Windows Web Proxy Auto-Discovery Protocol (WPAD) allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49800 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49800 | nerty with Theori z1r0 Anonymous Dongjun Lee (m0nd2y) with KAIST Hacking Lab TwinkleStar03 with DEVCORE Internship Program Brandon Fisher Brandon Fisher Dongjun Lee (m0nd2y) with KAIST Hacking Lab Dongjun Lee with KAIST Hacking Lab nerty with Theori nerty with Theori Anonymous k0shl 021w with Vulnerability Research Institute |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49799 MITRE NVD |
CVE Title: Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability
Description: Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49799 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49799 | Yehuda Smirnov with Microsoft Naor Evgi with White-Hat LTD Noam Pomerantz with CyberWallGlobal LTD |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50308 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Integer underflow (wrap or wraparound) in Windows NTFS allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50308 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50308 | Jianliang Zhao & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50311 MITRE NVD |
CVE Title: Windows Server Elevation of Privilege Vulnerability
Description: Improper access control in Windows Server allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50311 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50311 | mad31k working with TrendAI Zero Day Initiative |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49804 MITRE NVD |
CVE Title: Windows USB Video Driver Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49804 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.6 Temporal: 5.8 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49804 | pwn2addr |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50294 MITRE NVD |
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description: Exposure of sensitive system information to an unauthorized control sphere in Windows Kernel allows an unauthorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50294 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50294 | Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50333 MITRE NVD |
CVE Title: Windows Spaceport.sys Elevation of Privilege Vulnerability
Description: Missing authentication for critical function in Windows Spaceport.sys allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50333 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50333 | zickzick2 kaymin0128 zickzick2 Nathaniel Oh (@calysteon) Hae Seong Cho (yurok) Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST kang kang |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49801 MITRE NVD |
CVE Title: Windows SMB Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49801 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49801 | sweetchip |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49802 MITRE NVD |
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49802 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49802 | AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49806 MITRE NVD |
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49806 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49806 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49805 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49805 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49805 | mad31k working with TrendAI Zero Day Initiative |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49803 MITRE NVD |
CVE Title: Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows AppX Deployment Service allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49803 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49803 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50323 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50323 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50323 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50318 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description: Stack-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50318 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50318 | pwn2addr Donghyeon Oh with Patchpoint Jonghoi Kim R4nger with Kunlun Lab & Zhiniang Peng with HUST Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50351 MITRE NVD |
CVE Title: Windows Audio Compression Manager (ACM) Elevation of Privilege Vulnerability
Description: Improper access control in Windows Audio Compression Manager (ACM) allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50351 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50351 | XBreach.ai Yehuda Smirnov with Microsoft Naor Evgi with White-Hat LTD CrowdStrike Advanced Research Team with CrowdStrike Mateusz Garncarek with Digital-Missiles Ali Toni with Al-Esraa University pwn2addr Andrea Bocchetti Lydéric LEFEBVRE with Blackfield Security Lydéric LEFEBVRE with Blackfield Security Noam Pomerantz Vishal Chauhan |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49807 MITRE NVD |
CVE Title: Windows DirectX Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49807 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49807 | Jmini with Stealien |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50342 MITRE NVD |
CVE Title: Windows MIDI Service Module Elevation of Privileges Vulnerability
Description: Improper access control in Windows MIDI Service Module allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50342 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50342 | ChengBin Wang with ZheJiang Guoli Security Technology |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50298 MITRE NVD |
CVE Title: Windows Spaceport.sys Elevation of Privilege Vulnerability
Description: Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50298 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50298 | Nils Holten Nils Holten Anonymous Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49808 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49808 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-49808 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50293 MITRE NVD |
CVE Title: Windows Internal Task Bar Elevation of Privilege Vulnerability
Description: Use after free in Windows Internal Task Bar allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50293 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50293 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50316 MITRE NVD |
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description: Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain kernel memory content. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L),but lead to no loss of availability (A:N) and integrity (I:N)? What does that mean for this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability). Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50316 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50316 | Aman |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50354 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50354 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50354 | Seung Chan Kim yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50296 MITRE NVD |
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description: Use after free in Graphics Kernel allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50296 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50296 | Divya |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50297 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50297 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50297 | TrendAI Zero Day Initiative |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50325 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50325 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50325 | TrendAI Zero Day Initiative |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50356 MITRE NVD |
CVE Title: Microsoft Windows App Store Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Windows App Store allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50356 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50356 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50384 MITRE NVD |
CVE Title: Windows Clip Service Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Clip Service allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50384 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50384 | Jongseong Kim (nevul37), SEC-agent team Hwiwon Lee (hwiwonl), SEC-agent team Younggi Park (grill66), SEC-agent team Pwnforr777 Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50295 MITRE NVD |
CVE Title: Windows Zero Trust DNS Security Feature Bypass Vulnerability
Description: Improper privilege management in Microsoft Windows DNS allows an authorized attacker to bypass a security feature locally. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker who successfully exploited this vulnerability could bypass Zero Trust DNS (ZTDNS) policy enforcement. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50295 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50295 | ChenJian with Sea Security Orca Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50350 MITRE NVD |
CVE Title: Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Trusted Runtime Interface Driver allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50350 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50350 | Yun Cong |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50381 MITRE NVD |
CVE Title: Composite Image File System driver (cimfs.sys) Information Disclosure Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Composite Image File System Driver allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file metadata. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50381 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50381 | YuilMuil(Yoon Jung Hyun) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50300 MITRE NVD |
CVE Title: Windows DWM Core Library Information Disclosure Vulnerability
Description: Integer underflow (wrap or wraparound) in Windows Kernel allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50300 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50300 | Varun Goel |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50303 MITRE NVD |
CVE Title: Windows Key Guard Security Feature Bypass Vulnerability
Description: Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? The authentication feature could be bypassed as this vulnerability allows impersonation. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50303 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50303 | Leshi Yang |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50364 MITRE NVD |
CVE Title: Windows Backup Service Elevation of Privilege Vulnerability
Description: Improper link resolution before file access ('link following') in Windows Server Backup allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50364 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50364 | AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50302 MITRE NVD |
CVE Title: Windows Cryptographic Services Security Feature Bypass Vulnerability
Description: Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker can obtain keys, which could enable an attacker to partially bypass the application's cryptographic protections. Confidential information could be exposed to malicious users, including configuration data but not including personal information or credentials. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50302 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 4.2 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50302 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50332 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50332 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50332 | deepsec with DARKNAVY Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50372 MITRE NVD |
CVE Title: Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability
Description: Buffer over-read in Windows Redirected Drive Buffering allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50372 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50372 | grass341 with Viettel Cyber Security |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50305 MITRE NVD |
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description: Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50305 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50305 | hazard |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50329 MITRE NVD |
CVE Title: Microsoft DWM Core Library Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50329 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50329 | Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50363 MITRE NVD |
CVE Title: Windows Push Notifications Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Push Notifications allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50363 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50363 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50392 MITRE NVD |
CVE Title: Windows Secure Kernel Mode Elevation of Privilege Vulnerability
Description: Use after free in Windows Secure Kernel Mode allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50392 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50392 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50304 MITRE NVD |
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description: Stack-based buffer overflow in Active Directory Federation Services allows an unauthorized attacker to deny service over a network. FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of availability (A:H). What does that mean for this vulnerability? An attacker can send specially crafted packets which could affect availability of the service and result in Denial of Service (DoS). Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50304 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50304 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50328 MITRE NVD |
CVE Title: Windows Server Update Service (WSUS) Tampering Vulnerability
Description: Uncaught exception in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network. FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of availability (A:H). What does that mean for this vulnerability? An attacker can send specially crafted packets which could affect availability of the service and result in Denial of Service (DoS). Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50328 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Tampering | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50328 | f7d8c52bec79e42795cf15888b85cbad |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50306 MITRE NVD |
CVE Title: Windows TCP/IP Elevation of Privilege Vulnerability
Description: Use after free in Windows TCP/IP allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50306 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50306 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50360 MITRE NVD |
CVE Title: Windows SMB Server Elevation of Privilege Vulnerability
Description: Incorrect implementation of authentication algorithm in Windows SMB Server allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50360 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50360 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50393 MITRE NVD |
CVE Title: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50393 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50393 | Matthew Cox with Microsof (internal) Matthew Cox with Microsof (internal) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50412 MITRE NVD |
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description: Stack-based buffer overflow in Windows NTFS allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50412 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50412 | Microsoft Internal with Microsoft Thanatos Tian & wgg & @2st__ with Diffract Minjea Park Jmini Microsoft Red Team (MRT) with Microsoft haowei yan & xiaozun tang |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50337 MITRE NVD |
CVE Title: Windows Notification Elevation of Privilege Vulnerability
Description: Incorrect type conversion or cast in Windows Notification allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50337 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50337 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50386 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50386 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 (Server Core installation) | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50386 | Thanatos Tian & wgg & @2st__ with Diffract Microsoft Red Team (MRT) with Microsoft Anonymous Donghyeon Oh with Patchpoint Jonghoi Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50400 MITRE NVD |
CVE Title: Windows App Package Installer Elevation of Privilege Vulnerability
Description: Stack-based buffer overflow in Windows App Installer allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50400 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50400 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50309 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50309 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50309 | Minjea Park Donghyeon Oh with Patchpoint Jonghoi Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50419 MITRE NVD |
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50419 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50419 | hazard |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50368 MITRE NVD |
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description: Stack-based buffer overflow in Active Directory Federation Services allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50368 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50368 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50307 MITRE NVD |
CVE Title: Windows TCP/IP Elevation of Privilege Vulnerability
Description: Use after free in Windows TCP/IP allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50307 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50307 | Microsoft LC with VGCO - Vietnam Germany Connection yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50326 MITRE NVD |
CVE Title: Windows Unified Consent System Elevation of Privilege Vulnerability
Description: Use after free in Windows Unified Consent System allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50326 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50326 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50313 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50313 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50313 | R4nger with Kunlun Lab & Zhiniang Peng with HUST Donghyeon Oh with Patchpoint Jonghoi Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50440 MITRE NVD |
CVE Title: Windows Audio Service Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Audio Service allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50440 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50440 | Aobo Wang |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50380 MITRE NVD |
CVE Title: Windows GDI+ Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by convincing a user to open or process a specially crafted EMF+ file that contains a malicious image record. When the file is rendered, the system may incorrectly handle the image data, causing it to write beyond the bounds of allocated memory and corrupt adjacent memory structures. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50380 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50380 | Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50327 MITRE NVD |
CVE Title: Windows Media Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Media allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50327 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50327 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50341 MITRE NVD |
CVE Title: Windows NTFS Information Disclosure Vulnerability
Description: Buffer over-read in Windows NTFS allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain kernel memory content. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50341 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50341 | Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST Thanatos Tian (HKPolyU) & npc0vo & @2st__ with Diffract Rahul Hoysala with OSI |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50407 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50407 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50407 | yhw & txz Thunder_J pwn2addr Thanatos Tian & wgg & @2st__ with Diffract |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50331 MITRE NVD |
CVE Title: Windows Application Model Core API Elevation of Privilege Vulnerability
Description: Use after free in Windows Application Model allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50331 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50331 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50343 MITRE NVD |
CVE Title: Microsoft Install Service Elevation of Privilege Vulnerability
Description: Improper privilege management in Microsoft Install Service allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50343 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50343 | pwnky Noam Pomerantz with Cyberwallglobal Yehuda Smirnov with Microsoft Naor Evgi with White-Hat LTD Andrea Bocchetti ChengBin Wang with ZheJiang Guoli Security Technology Anonymous with SSD Secure Disclosure Daniel Wade with nadsec Anonymous yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50396 MITRE NVD |
CVE Title: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50396 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50396 | grass341 with Viettel Cyber Security |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50370 MITRE NVD |
CVE Title: DHCP Server Service Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows DHCP Server allows an unauthorized attacker to execute code over an adjacent network. FAQ: How could an attacker exploit this vulnerability? An authenticated user could exploit this vulnerability by sending specially crafted network traffic to a server configured for use as a Dynamic Host Configuration Protocol (DHCP) Server. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50370 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50370 | Linzishan & Anemone & Zhiniang Peng (HUST) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50347 MITRE NVD |
CVE Title: Windows Data.dll Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Data dll allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50347 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50347 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50321 MITRE NVD |
CVE Title: Windows USB Driver Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Driver allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50321 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50321 | Kamil Leoniak at Delphos Labs Delphos Labs Kamil Leoniak at Delphos Labs Delphos Labs |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50425 MITRE NVD |
CVE Title: Windows Internal System User Profile Elevation of Privilege Vulnerability
Description: Use after free in Windows Internal System User Profile allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50425 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50425 | Vamshi Krishna Bolly |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50315 MITRE NVD |
CVE Title: Windows Image Acquisition Elevation of Privilege Vulnerability
Description: Null pointer dereference in Windows Image Acquisition allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker could use this vulnerability to elevate privileges from Medium Integrity Level to Local Service. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50315 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50315 | h4urek with secsys lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50434 MITRE NVD |
CVE Title: Windows Push Notification Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50434 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50434 | Yun Cong |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50339 MITRE NVD |
CVE Title: Windows Push Notification Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50339 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50339 | Yun Cong |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50430 MITRE NVD |
CVE Title: Windows Push Notification Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Push Notifications allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50430 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50430 | Yun Cong |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50310 MITRE NVD |
CVE Title: Windows Human Interface Device Information Disclosure Vulnerability
Description: Integer overflow or wraparound in Windows Devices Human Interface allows an authorized attacker to disclose information locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain memory address within kernel space. Knowing the exact location of kernel memory could be potentially leveraged by an attacker for other malicious activities. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50310 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50310 | CrowdStrike Advanced Research Team with CrowdStrike |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50324 MITRE NVD |
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description: Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50324 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50324 | Anonymous Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50312 MITRE NVD |
CVE Title: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Description: Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50312 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50312 | Soon Oh with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50330 MITRE NVD |
CVE Title: Windows Remote Desktop Client Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to elevate privileges over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50330 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50330 | Nicholas Vadasz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50357 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description: Numeric truncation error in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50357 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50357 | Donghyeon Oh with Patchpoint Jonghoi Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50377 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50377 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50377 | Gabriela Kote with Microsoft Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50390 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50390 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50390 | wisi |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50452 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an unauthorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50452 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50452 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50348 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an unauthorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50348 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50348 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50345 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50345 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50345 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50322 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50322 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50322 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50335 MITRE NVD |
CVE Title: Windows Operating Systems Elevation of Privilege Vulnerability
Description: Improper access control in Windows Operating Systems allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50335 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50335 | Tomer Peled with Akamai |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50375 MITRE NVD |
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows DirectX allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50375 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50375 | Anonymous Azure Yang with Kunlun Lab YuilMuil esakis Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab Anonymous yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50361 MITRE NVD |
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description: Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50361 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50361 | hazard |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50317 MITRE NVD |
CVE Title: Windows Operating Systems Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Operating Systems allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50317 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50317 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50340 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Use after free in Windows Runtime allows an authorized attacker to elevate privileges over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50340 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.5 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.5 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.5 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.5 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.5 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.5 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.5 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.5 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50340 | h4urek with secsys lab Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50404 MITRE NVD |
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50404 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50404 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50366 MITRE NVD |
CVE Title: Windows Active Directory Domain Services Denial of Service Vulnerability
Description: Null pointer dereference in Active Directory Domain Services allows an authorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50366 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50366 | WARP and ACS teams at Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50416 MITRE NVD |
CVE Title: Win32k Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L),but lead to no loss of availability (A:N) and integrity (I:N)? What does that mean for this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability). Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50416 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 3.3 Temporal: 2.9 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50416 | Minjea Park with Stealien CrowdStrike Advanced Research Team with CrowdStrike |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50358 MITRE NVD |
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description: Use after free in Windows Media allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50358 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50358 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50355 MITRE NVD |
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description: Stack-based buffer overflow in Active Directory Federation Services allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50355 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50355 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50428 MITRE NVD |
CVE Title: Windows Container Isolation FS Filter Driver (unionfs.sys) Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows Container Isolation FS Filter Driver (unionfs.sys) allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain kernel memory content. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50428 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50428 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50373 MITRE NVD |
CVE Title: Windows Search Service Elevation of Privilege Vulnerability
Description: Improper access control in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50373 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50373 | Yun Cong |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50353 MITRE NVD |
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50353 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50353 | SnowRockLab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50388 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Out-of-bounds read in Windows NTFS allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50388 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50388 | Donghyeon Oh with Patchpoint Jonghoi Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50410 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50410 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50410 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50449 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50449 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50449 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50371 MITRE NVD |
CVE Title: Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows LUAFV allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50371 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50371 | Nguyễn Văn Thiện LC with VGCO - Vietnam Germany Connection |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50336 MITRE NVD |
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Media allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50336 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50336 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50398 MITRE NVD |
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50398 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50398 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50414 MITRE NVD |
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50414 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50414 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50379 MITRE NVD |
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50379 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50379 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50463 MITRE NVD |
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows Kernel allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50463 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50463 | Thanatos Tian (HKPolyU) & npc0vo & @2st__ with Diffract Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50460 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an unauthorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50460 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50460 | Anonymous h4urek with secsys lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50403 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50403 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50403 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50433 MITRE NVD |
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description: Use after free in Windows Media allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50433 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50433 | Angelboy (@scwuaptx) with DEVCORE |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50391 MITRE NVD |
CVE Title: Windows Group Policy Elevation of Privilege Vulnerability
Description: Improper privilege management in Windows Group Policy allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50391 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50391 | Filip Dragović |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50418 MITRE NVD |
CVE Title: Windows System Secure Feature Bypass Vulnerability
Description: Improper access control in Windows System allows an unauthorized attacker to bypass a security feature locally. FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). What kind of security feature could be bypassed by successfully exploiting this vulnerability? The authentication feature could be bypassed as this vulnerability allows impersonation. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50418 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.1 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.1 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.1 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.1 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 5.1 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Security Feature Bypass | None | Base: 5.1 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Security Feature Bypass | None | Base: 5.1 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.1 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.1 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50418 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50423 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Improper access control in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50423 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50423 | Filip Dragović |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50378 MITRE NVD |
CVE Title: Windows Key Guard Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Key Guard allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50378 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50378 | Leshi Yang |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50401 MITRE NVD |
CVE Title: Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain kernel memory content. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50401 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50401 | RanchoIce |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50346 MITRE NVD |
CVE Title: Netlogon RPC Elevation of Privilege Vulnerability
Description: Improper authorization in RPC Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50346 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50346 | Howard McGreehan with MSRC V&M |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50376 MITRE NVD |
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? This attack requires a victim user on the client to enable Remote Audio Playback and Recording and connect to a malicious server. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50376 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50376 | YingQi Shi with DBAPPSecurity WeBin Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50397 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? For an attacker to exploit this vulnerability, they would need to have knowledge of a specific operation that triggers a memory allocation failure, specifically a use after free. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50397 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50397 | hazard |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50405 MITRE NVD |
CVE Title: Windows Filtering Platform Elevation of Privilege Vulnerability
Description: Insufficient granularity of access control in Windows Filtering Platform (WFP) allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50405 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50405 | Prayas(Pro bear) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50448 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? A user would need to mount a .vhd file to be compromised by the attacker. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50448 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50448 | Donghyeon Oh with Patchpoint Jonghoi Kim R4nger with Kunlun Lab & Zhiniang Peng with HUST Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST Minjea Park |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50387 MITRE NVD |
CVE Title: Windows GDI Elevation of Privilege Vulnerability
Description: Stack-based buffer overflow in Windows GDI allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50387 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office for Android | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50387 | Donghyeon Oh with Patchpoint Jonghoi Kim Anonymous Kentaro Kawane with GMO Cybersecurity by Ierae, Inc. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50334 MITRE NVD |
CVE Title: Windows Push Notification Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Notification allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50334 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50334 | Yun Cong |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50445 MITRE NVD |
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description: Buffer over-read in Windows RDP allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read portions of heap memory. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50445 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50445 | Sanil Singh Tomar with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50344 MITRE NVD |
CVE Title: Windows OLE Elevation of Privilege Vulnerability
Description: Improper authorization in Windows OLE allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50344 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50344 | Hart Wilson with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50352 MITRE NVD |
CVE Title: Windows Cryptographic Services Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could obtain limited memory-related information, specifically a heap address returned by the affected service. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50352 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50352 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50382 MITRE NVD |
CVE Title: DirectX Graphics Kernel Remote Code Execution Vulnerability
Description: Untrusted pointer dereference in Windows DirectX allows an authorized attacker to execute code locally. FAQ: How could an attacker exploit this vulnerability? An attacker can exploit this vulnerability by getting access to the local guest VM so they can attack the Host OS. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50382 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50382 | pwn2addr |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50436 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50436 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50436 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50437 MITRE NVD |
CVE Title: Windows DWM Core Library Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read portions of heap memory. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50437 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50437 | Varun Goel |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50471 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? A user would need to mount a .vhd file to be compromised by the attacker. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50471 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 (Server Core installation) | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50471 | Donghyeon Oh with Patchpoint Jonghoi Kim R4nger with Kunlun Lab & Zhiniang Peng with HUST Sergey immortalp0ny Tarasov with Positive Technologies |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50369 MITRE NVD |
CVE Title: Windows Remote Desktop Services Elevation of Privilege Vulnerability
Description: Use after free in Windows Remote Desktop Services allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. How could an attacker exploit this vulnerability? To successfully exploit this elevation of privilege vulnerability, an attacker would be required to perform a remote connection to a vulnerable machine and then manipulate the size of memory allocation through integer overflow. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50369 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50369 | Mateusz Garncarek with Digital-Missiles Xuanzhe Yu syxlox with Siemens Energy |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50469 MITRE NVD |
CVE Title: Windows Projected File System Elevation of Privilege Vulnerability
Description: Improper link resolution before file access ('link following') in Windows Projected File System allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker would be able to delete any system files. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50469 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50469 | Grant Hume |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50454 MITRE NVD |
CVE Title: Windows User Interface Core Elevation of Privilege Vulnerability
Description: Relative path traversal in Windows User Interface Core allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker would be able to delete any system files. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50454 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50454 | @2st___ of Diffract Zhiniang Peng with HUST Thanatos Tian of Diffract Anonymous Daniel Friedl |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50365 MITRE NVD |
CVE Title: Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability
Description: Improper authentication in Windows RPC API allows an unauthorized attacker to elevate privileges over an adjacent network. FAQ: According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability? This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require machine-in-the-middle (MITM) type setups or that rely on initially gaining a foothold in another environment. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? To trigger this vulnerability, a user must actively connect to the affected server and run a specific command. The vulnerability cannot be triggered automatically or in the background; it only occurs when a user intentionally interacts with the server using this command. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50365 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50365 | Howard McGreehan with MSRC V&M |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50426 MITRE NVD |
CVE Title: Windows DNS Server Remote Code Execution Vulnerability
Description: Relative path traversal in DNS Server allows an authorized attacker to execute code over an adjacent network. FAQ: According to the CVSS score, the attack vector is adjacent (AV:A). What does this mean for this vulnerability? This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network. According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires the attacker to be part of DnsAdmins group. As is best practice, regular validation and audits of administrative groups should be conducted. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50426 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50426 | pwnky |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50385 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker could use this vulnerability to elevate privileges from a Low Integrity Level in a contained ("sandboxed") execution environment to a Medium Integrity Level. Please refer to AppContainer isolation and Mandatory Integrity Control for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50385 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50385 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50413 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker could use this vulnerability to elevate privileges from a Low Integrity Level in a contained ("sandboxed") execution environment to a Medium Integrity Level. Please refer to AppContainer isolation and Mandatory Integrity Control for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50413 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50413 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50427 MITRE NVD |
CVE Title: Content Delivery Manager Elevation of Privilege Vulnerability
Description: Use after free in Content Delivery Manager allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could elevate from a low integrity level up to a medium integrity level. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50427 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50427 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50422 MITRE NVD |
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description: Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50422 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50422 | Microsoft Internal with Microsoft Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50421 MITRE NVD |
CVE Title: Windows Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Windows Connected User Experiences and Telemetry allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50421 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50421 | Zhang WangJunJie@Hillstone, He YiSheng |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50374 MITRE NVD |
CVE Title: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Description: Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges with a physical attack. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50374 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50374 | Axel Mierczuk with Trail of Bits Maciej Domanski with Trail of Bits |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50367 MITRE NVD |
CVE Title: Windows Sensor Data Service Elevation of Privilege Vulnerability
Description: Incorrect access of indexable resource ('range error') in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50367 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50367 | Dongjun Lee (m0nd2y) with KAIST Hacking Lab Anonymous Thanatos Tian & wxz & @2st__ with Diffract Dongjun Lee (m0nd2y) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50383 MITRE NVD |
CVE Title: Windows Print Spooler Information Disclosure Vulnerability
Description: Buffer over-read in Windows Print Spooler Components allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50383 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50383 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50451 MITRE NVD |
CVE Title: Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability
Description: Missing authentication for critical function in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50451 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50451 | Brandon Fisher Brandon Fisher |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50455 MITRE NVD |
CVE Title: Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability
Description: Use of uninitialized resource in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? This vulnerability could allow a local, non‑administrator attacker to read any files that are accessible to the UPnP Device Host Service, which runs under the LOCAL SERVICE account. This may include restricted system files or configuration data that the attacker would not normally be able to access. The specific information exposed depends on the files that the service is permitted to read. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50455 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50455 | AI's physical interface 03 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50466 MITRE NVD |
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description: Use after free in Windows Brokering File System allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50466 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50466 | dd484a5a34dd0f6d5330345ffe642dfc Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab Grant Hume |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50402 MITRE NVD |
CVE Title: NTFS Elevation of Privilege Vulnerability
Description: Incorrect conversion between numeric types in Windows NTFS allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50402 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50402 | Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract Jiayi Sun |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50435 MITRE NVD |
CVE Title: Windows Overlay Filter Elevation of Privilege Vulnerability
Description: Buffer over-read in Windows Overlay Filter allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50435 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50435 | Chen Le Qi (@cplearns2h4ck) with STAR Labs SG Pte. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50409 MITRE NVD |
CVE Title: Windows Overlay Filter Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Overlay Filter allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain kernel memory content. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50409 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50409 | Chen Le Qi(@cplearns2h4ck) with STAR Labs SG Pte. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50441 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description: Untrusted pointer dereference in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50441 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50441 | Donghyeon Oh with Patchpoint Jonghoi Kim Thanatos Tian (HKPolyU) & wgg & @2st__ with Diffract & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50465 MITRE NVD |
CVE Title: Windows DNS Client Tampering Vulnerability
Description: Improper access control in Microsoft Windows DNS allows an authorized attacker to perform tampering locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50465 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Tampering | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50465 | Brandon Fisher Brandon Fisher |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50439 MITRE NVD |
CVE Title: Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability
Description: Use after free in Microsoft Message Queuing Queue Manager allows an unauthorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50439 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50439 | k0shl k0shl |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50462 MITRE NVD |
CVE Title: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Description: External control of file name or path in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50462 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50462 | Erik Egsgard with Field Effect |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50457 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could elevate from a low integrity level up to a medium integrity level. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50457 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50457 | Vamshi Krishna Bolly |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50473 MITRE NVD |
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the server object address. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50473 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50473 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50442 MITRE NVD |
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the server object address. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50442 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50442 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50389 MITRE NVD |
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the server object address. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50389 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50389 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50456 MITRE NVD |
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Successful exploitation of this vulnerability could leak the address of a medium integrity process to a lower integrity caller process. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50456 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50456 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50432 MITRE NVD |
CVE Title: Window Virtual Filtering Platform (VFP) Denial of Service Vulnerability
Description: Use after free in Windows Virtual Filtering Platform (VFP) allows an authorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50432 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50432 | Jun Young Lee with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50399 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50399 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50399 | Arjun Vasudeva with MSRC Exploit Research Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50461 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? A user would need to mount a .vhd file to be compromised by the attacker. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50461 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50461 | Anonymous R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50431 MITRE NVD |
CVE Title: Windows Quality of Service (QoS) Packet Scheduler Information Disclosure Vulnerability
Description: Unknown FAQ: What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain memory address within kernel space. Knowing the exact location of kernel memory could be potentially leveraged by an attacker for other malicious activities. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50431 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50431 | hazard |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50453 MITRE NVD |
CVE Title: Windows USB Audio Class Driver Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50453 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50453 | Donghyeon Oh with Patchpoint Jonghoi Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50417 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50417 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50417 | Anonymous Jonghoi Kim Donghyeon Oh with Patchpoint Thanatos Tian & @2st__ with Diffract yhw & txz Anonymous Microsoft Red Team (MRT) with Microsoft R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50447 MITRE NVD |
CVE Title: Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Message Queuing allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by sending a specially crafted request containing a maliciously formed domain name to a vulnerable service. When the system processes this input, it may incorrectly calculate the required memory size and write beyond the allocated buffer, resulting in memory corruption that could allow further compromise of the affected system. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50447 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50447 | Azure Yang with Kunlun Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50438 MITRE NVD |
CVE Title: Microsoft PC Manager Elevation of Privilege Vulnerability
Description: Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50438 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft PC Manager | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50438 | .bat |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50420 MITRE NVD |
CVE Title: HTTP.sys Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50420 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50420 | grass341 with Viettel Cyber Security |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50362 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50362 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50362 | Donghyeon Oh with Patchpoint and Jonghoi Kim Donghyeon Oh with Patchpoint and Jonghoi Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50474 MITRE NVD |
CVE Title: Remote Desktop Client Remote Code Execution Vulnerability
Description: Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50474 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50474 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50411 MITRE NVD |
CVE Title: Windows Active Directory Federation Services Denial of Service Vulnerability
Description: Stack-based buffer overflow in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50411 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50411 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50444 MITRE NVD |
CVE Title: Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability
Description: Missing authentication for critical function in Windows Server Update Service allows an authorized attacker to elevate privileges over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50444 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50444 | Hugo VINCENT with Synacktiv |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50394 MITRE NVD |
CVE Title: Windows Media Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Media allows an authorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50394 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50394 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50415 MITRE NVD |
CVE Title: Windows Media Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Media allows an unauthorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50415 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.3 Temporal: 4.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50415 | David Zhu with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50458 MITRE NVD |
CVE Title: Microsoft Brokering File System Elevation of Privilege Vulnerability
Description: Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50458 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50458 | anonymous anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50475 MITRE NVD |
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description: Buffer over-read in Windows Kernel allows an authorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50475 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50475 | grass341 with Viettel Cyber Security KPC with Cisco Talos KPC with Cisco Talos |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50476 MITRE NVD |
CVE Title: Windows Network Connections Service Elevation of Privilege Vulnerability
Description: Use after free in Microsoft Windows allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50476 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50476 | Hwiwon Lee (hwiwonl), SEC-agent team Jongseong Kim (nevul37), SEC-agent team Younggi Park (grill66), SEC-agent team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50429 MITRE NVD |
CVE Title: Windows Kernel Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows Kernel allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50429 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50429 | Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50450 MITRE NVD |
CVE Title: Windows Network Connections Service Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Wireless Wide Area Network Service allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50450 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50450 | h4urek with secsys lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50424 MITRE NVD |
CVE Title: Windows Domain Controller Denial of Service Vulnerability
Description: Untrusted pointer dereference in Windows Domain Controller allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50424 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50424 | [Yuval Gordon](https://x.com/yug0rd) with Akamai [Yuval Gordon](https://x.com/yug0rd) with Akamai |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50406 MITRE NVD |
CVE Title: Windows Backup Engine Elevation of Privilege Vulnerability
Description: Use after free in Windows Backup Engine allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50406 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50406 | AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50470 MITRE NVD |
CVE Title: Windows Network Policy Server SNMP Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows Network Policy Server SNMP allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read portions of process memory. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50470 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50470 | Lewis Lee & Anemone & Zhiniang Peng (HUST) Lewis Lee & Anemone & Zhiniang Peng (HUST) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50459 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50459 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50459 | Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50477 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50477 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50477 | Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50478 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50478 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50478 | Gabriela Kote with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50479 MITRE NVD |
CVE Title: Windows USB Hub Driver Elevation of Privilege Vulnerability
Description: Untrusted pointer dereference in Windows USB Hub Driver allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50479 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50479 | Adrian Denkiewicz at Doyensec in collaboration with Anthropic Research
[Adrian Denkiewicz at Doyensec in collaboration with Claude and Anthropic Research](https://doyensec.com) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50480 MITRE NVD |
CVE Title: Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Web Proxy Auto-Discovery Protocol (WPAD) allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50480 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) 5099415 (IE Cumulative) |
Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) 5099415 (IE Cumulative) |
Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099415 (IE Cumulative) 5099444 (Monthly Rollup) |
Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099415 (IE Cumulative) 5099444 (Monthly Rollup) |
Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50480 | Rutuja Shirali with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50482 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50482 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50482 | R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50495 MITRE NVD |
CVE Title: DNS Client Tampering Vulnerability
Description: Improper access control in Microsoft Windows DNS allows an authorized attacker to perform tampering locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50495 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Tampering | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50495 | Sneha Ravichandran with microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50483 MITRE NVD |
CVE Title: Windows Graphics Component Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50483 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50483 | Hussein Alrubaye with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50484 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50484 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50484 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50493 MITRE NVD |
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Graphics Kernel allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50493 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50493 | YuilMuil(Yoon Jung Hyun) dungnm with Viettel Cyber Security dungnm with Viettel Cyber Security Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab Anonymous SnowRockLab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50502 MITRE NVD |
CVE Title: Windows Event Logging Service Remote Code Execution Vulnerability
Description: Insufficient granularity of access control in Windows Event Logging Service allows an authorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50502 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50502 | Romain BENTZ with Login Sécurité Grant Hume |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50485 MITRE NVD |
CVE Title: Windows Hyper-V Denial of Service Vulnerability
Description: Buffer over-read in Windows Hyper-V allows an authorized attacker to deny service over an adjacent network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50485 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 4.5 Temporal: 3.9 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50485 | Anonymous Anonymous Jungwoo Lee with KAIST SoftSec Lab Wongi Lee with Theori Linzishan & Anemone & Zhiniang Peng (HUST) sweetchip Daejin Lee |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50486 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Use after free in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50486 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50486 | Vamshi Krishna Bolly |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50487 MITRE NVD |
CVE Title: Windows DNS Client Elevation of Privilege Vulnerability
Description: Use after free in Microsoft Windows DNS allows an unauthorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50487 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50487 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50488 MITRE NVD |
CVE Title: Clipboard User Service Elevation of Privilege Vulnerability
Description: Improper neutralization of special elements used in a command ('command injection') in Windows Clipboard User Service allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50488 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50488 | Pwnforr777 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50500 MITRE NVD |
CVE Title: Windows Netlogon Elevation of Privilege Vulnerability
Description: Use after free in Windows Netlogon allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50500 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50500 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50499 MITRE NVD |
CVE Title: Windows Print Spooler Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50499 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50499 | Brandon Fisher Brandon Fisher |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50489 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Win32K allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50489 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50489 | Anonymous Marcin Wiązowski |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50494 MITRE NVD |
CVE Title: Windows NTFS Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50494 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50494 | Sergey immortalp0ny Tarasov with Positive Technologies Minjea Park with STEALIEN |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50490 MITRE NVD |
CVE Title: Windows Installer Elevation of Privilege Vulnerability
Description: Use after free in Windows Installer allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50490 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50490 | Jongseong Kim (nevul37), SEC-agent team Hwiwon Lee (hwiwonl), SEC-agent team Younggi Park (grill66), SEC-agent team Dongjun Kim (smlijun), SEC-agent team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50498 MITRE NVD |
CVE Title: Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50498 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50498 | R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50505 MITRE NVD |
CVE Title: Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability
Description: Use after free in Windows Message Queuing allows an authorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50505 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50505 | k0shl k0shl |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50491 MITRE NVD |
CVE Title: Code Integrity DLL (ci.dll) Elevation of Privilege Vulnerability
Description: Out-of-bounds read in Code Integrity DLL (ci.dll) allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50491 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50491 | grass341 with Viettel Cyber Security Souhail Hammou |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50492 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code with a physical attack. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50492 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50492 | pwn2addr Donghyeon Oh with Patchpoint Jonghoi Kim R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50501 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description: Stack-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50501 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50501 | Donghyeon Oh with Patchpoint Jonghoi Kim Thanatos Tian & wgg & @2st__ with Diffract pwn2addr Aobo Wang |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50503 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50503 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50503 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50497 MITRE NVD |
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description: Off-by-one error in Windows Remote Desktop Protocol allows an unauthorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50497 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50497 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50496 MITRE NVD |
CVE Title: Windows Network Policy Server SNMP Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows Network Policy Server SNMP allows an unauthorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50496 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50496 | Zishan Lin & Anemone & Zhiniang Peng (HUST) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50504 MITRE NVD |
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description: Buffer over-read in Remote Desktop Client allows an unauthorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50504 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50504 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVE-2026-47295 MITRE NVD |
CVE Title: Microsoft SQL Server Elevation of Privilege Vulnerability
Description: Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. FAQ: How could an attacker exploit the vulnerability? An attacker could inject arbitrary T-SQL commands by crafting a malicious database name. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain sysadmin privileges. I am running SQL Server on my system. What action do I need to take? Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47295 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR) | 5102340 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack | 5102339 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2017 for x64-based Systems (CU 31) | 5102337 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2017 for x64-based Systems (GDR) | 5102338 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2019 for x64-based Systems (CU 32) | 5102335 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2019 for x64-based Systems (GDR) | 5102336 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2022 for x64-based Systems (CU 25) | 5101347 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2022 for x64-based Systems (GDR) | 5102334 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (CU6) | 5101346 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (GDR) | 5102333 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47295 | Anonymous Fabiano Amorim with Pythian Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50509 MITRE NVD |
CVE Title: Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability
Description: Deserialization of untrusted data in Windows Wireless Wide Area Network Service allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50509 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50509 | ChengBin Wang with ZheJiang Guoli Security Technology pwnky |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50510 MITRE NVD |
CVE Title: GitHub Copilot Remote Code Execution Vulnerability
Description: Improper restriction of names for files and other resources in Github Copilot allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50510 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| GitHub Copilot Plugin for JetBrains IDEs | (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50510 | Nacl |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50518 MITRE NVD |
CVE Title: Windows DHCP Server Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows DHCP Server allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by sending specially crafted network requests containing malicious domain name data to a system running the affected component. Because the function does not correctly validate the size of incoming data, the malformed input may cause memory corruption, which an attacker could use to disrupt the service or potentially execute code on the affected system. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50518 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50518 | Amit Schendel with Ventris Lewis Lee Owen McCullough with MSRC V&M |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50525 MITRE NVD |
CVE Title: .NET Denial of Service Vulnerability
Description: Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50525 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50525 | Levi Broderick |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50526 MITRE NVD |
CVE Title: .NET Tampering Vulnerability
Description: Improper link resolution before file access ('link following') in .NET allows an authorized attacker to perform tampering locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50526 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Tampering | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Tampering | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50526 | Siwei Li with Microsoft Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50527 MITRE NVD |
CVE Title: .NET Framework Denial of Service Vulnerability
Description: Stack-based buffer overflow in .NET Framework allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50527 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 | 5087068 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) | 5087068 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems | 5087058 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems | 5087058 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems | 5092430 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems | 5092430 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems | 5092427 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems | 5092427 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 | 5087059 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) | 5087059 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 | 5087057 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) | 5087057 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 5087048 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 5087048 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 5087049 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 5087049 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 5087062 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 5087062 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 5087063 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 5087063 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 5087067 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 5087067 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 5087069 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 5087069 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50527 | Levi Broderick |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50528 MITRE NVD |
CVE Title: .NET Security Feature Bypass Vulnerability
Description: Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? The authentication feature could be bypassed as this vulnerability allows impersonation. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50528 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50528 | Ky0toFu Henrique Pereira with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50646 MITRE NVD |
CVE Title: .NET Framework Remote Code Execution Vulnerability
Description: Protection mechanism failure in .NET Framework allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50646 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems | 5087537 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems | 5087537 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems | 5087061 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems | 5087061 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems | 5087061 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 | 5087537 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) | 5087537 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 | 5087061 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) | 5087061 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems | 5087066 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for ARM64-based Systems | 5087066 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems | 5087066 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems | 5087064 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems | 5087064 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems | 5087064 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems | 5087064 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 | 5087066 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) | 5087066 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 | 5087068 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) | 5087068 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems | 5087053 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems | 5087053 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems | 5087053 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems | 5087053 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems | 5087058 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems | 5087058 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems | 5092430 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems | 5092430 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems | 5092427 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems | 5092427 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 | 5087059 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) | 5087059 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 | 5087057 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) | 5087057 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 5087048 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 5087048 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 5087049 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 5087049 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 5087062 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 5087062 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 5087063 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 5087063 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 5087065 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 5087065 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 5087067 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 5087067 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 5087069 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 5087069 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 | 5087065 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) | 5087065 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50646 | Ky0toFu 41ae55e9310ff27fa6f26af4727e5590 Kevin Gosse |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50647 MITRE NVD |
CVE Title: Active Directory Federation Server Denial of Service Vulnerability
Description: Loop with unreachable exit condition ('infinite loop') in Active Directory Federation Services (AD FS) allows an unauthorized attacker to deny service over a network. FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of availability (A:H). What does that mean for this vulnerability? An attacker can send specially crafted packets which could affect availability of the service and result in Denial of Service (DoS). Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50647 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50647 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50648 MITRE NVD |
CVE Title: .NET Framework Denial of Service Vulnerability
Description: Allocation of resources without limits or throttling in .NET Framework allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50648 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) | 5087537 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) | 5087061 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for ARM64-based Systems | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems | 5087064 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) | 5087066 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 | 5087068 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) | 5087068 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems | 5087053 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems | 5087058 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems | 5087058 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems | 5092430 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems | 5092430 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems | 5092427 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems | 5092427 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 | 5087059 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) | 5087059 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 | 5087057 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) | 5087057 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 5087048 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 5087048 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 5087049 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 5087049 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 5087062 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 5087062 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 5087063 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 5087063 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 5087067 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 5087067 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 5087069 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 5087069 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) | 5087065 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50648 | 41ae55e9310ff27fa6f26af4727e5590 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50649 MITRE NVD |
CVE Title: .NET Remote Code Execution Vulnerability
Description: Deserialization of untrusted data in .NET allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50649 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50649 | Kevin Gosse 41ae55e9310ff27fa6f26af4727e5590 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50650 MITRE NVD |
CVE Title: .NET Framework Elevation of Privilege Vulnerability
Description: Improper control of generation of code ('code injection') in .NET Framework allows an unauthorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50650 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems | 5087537 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems | 5087537 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems | 5087061 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems | 5087061 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 | 5087537 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation) | 5087537 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 | 5087061 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation) | 5087061 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems | 5087066 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems | 5087066 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems | 5087064 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems | 5087064 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems | 5087064 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems | 5087064 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems | 5087064 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 | 5087066 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation) | 5087066 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 | 5087068 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) | 5087068 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems | 5087053 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems | 5087053 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems | 5087053 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems | 5087053 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems | 5087053 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems | 5087058 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems | 5087058 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems | 5092430 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems | 5092430 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems | 5092427 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems | 5092427 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems | 5087077 (Security Update) 5092431 (Security Update) |
Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 | 5087059 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) | 5087059 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 | 5087057 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) | 5087057 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 5087048 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 5087048 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 5087049 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 5087049 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 5087062 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 5087062 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 5087063 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 5087063 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 5087065 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 5087065 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 5087067 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 5087067 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 5087069 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 5087069 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 | 5087065 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation) | 5087065 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50650 | 41ae55e9310ff27fa6f26af4727e5590 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50651 MITRE NVD |
CVE Title: .NET Denial of Service Vulnerability
Description: Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50651 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Denial of Service | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50651 | Miha Zupan with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50655 MITRE NVD |
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50655 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50655 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50657 MITRE NVD |
CVE Title: Microsoft Defender for Endpoint for Mac Information Disclosure Vulnerability
Description: Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50657 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Defender for Endpoint for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 4.7 Temporal: 4.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50657 | Eugene Lim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50658 MITRE NVD |
CVE Title: Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability
Description: Time-of-check time-of-use (toctou) race condition in Microsoft Defender allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50658 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Defender for Endpoint for Mac | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50658 | Eugene Lim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50659 MITRE NVD |
CVE Title: .NET Spoofing Vulnerability
Description: Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50659 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Spoofing | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Spoofing | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50659 | hamayanhamayan |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50661 MITRE NVD |
CVE Title: Windows BitLocker Security Feature Bypass Vulnerability
Description: Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | Yes | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50661 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50661 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50666 MITRE NVD |
CVE Title: Windows Remote Access Elevation of Privilege Vulnerability
Description: Use after free in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50666 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50666 | h4urek with secsys lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50667 MITRE NVD |
CVE Title: Windows Common Log File System Driver Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows NTFS allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50667 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50667 | Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50668 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to elevate privileges with a physical attack. FAQ: According to the CVSS metric, the attack vector is physical (AV:P). What does that mean for this vulnerability? An attacker with physical access to a vulnerable system could insert a specially crafted USB device. Are there additional attack vectors? This vulnerability could also be exploited through a local attack vector. An attacker authenticated as an administrator on a vulnerable system could mount a specially crafted virtual hard drive (VHD) to exploit the system. This scenario results in a lower CVSS score which is why the primary attack vector is listed as Physical in our documentation. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50668 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50668 | Thanatos Tian & wgg & @2st__ with Diffract Donghyeon Oh with Patchpoint Jonghoi Kim R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50669 MITRE NVD |
CVE Title: Windows Telephony Server Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Telephony Service allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50669 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50669 | z1r0 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50670 MITRE NVD |
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description: Out-of-bounds read in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50670 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50670 | grass341 with Viettel Cyber Security |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50672 MITRE NVD |
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description: Use after free in Windows NTFS allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition and also to take additional actions prior to exploitation to prepare the target environment. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50672 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50672 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50673 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Null pointer dereference in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50673 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50673 | 5n1p3r0010 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50674 MITRE NVD |
CVE Title: Windows USB Print Driver Elevation of Privilege Vulnerability
Description: Use after free in Windows USB Print Driver allows an authorized attacker to elevate privileges locally. FAQ: What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain kernel memory content. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50674 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50674 | AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50676 MITRE NVD |
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Media allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50676 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50676 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50677 MITRE NVD |
CVE Title: Windows Media Elevation of Privilege Vulnerability
Description: Use after free in Windows Media allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50677 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50677 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54115 MITRE NVD |
CVE Title: Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability
Description: Integer overflow or wraparound in Windows Active Directory allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54115 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54115 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50684 MITRE NVD |
CVE Title: Active Directory Federation Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Active Directory Federation Services (AD FS) allows an authorized attacker to perform spoofing over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50684 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Spoofing | None | Base: 4.8 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50684 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50679 MITRE NVD |
CVE Title: Windows Search Service Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker could use this vulnerability to elevate privileges from Medium Integrity Level to a High Integrity Level. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50679 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50679 | Anonymous haowei yan h4urek with secsys lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50688 MITRE NVD |
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50688 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50688 | Kentaro Kawane with GMO Cybersecurity by Ierae, Inc. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50680 MITRE NVD |
CVE Title: Windows Hyper-V Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Hyper-V allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50680 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50680 | Artur Stetsko |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50681 MITRE NVD |
CVE Title: Windows Secure Channel Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Cryptographic Services allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is internal memory pointers. These leaked addresses could help an attacker bypass security protection and facilitate further exploitation. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50681 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50681 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54121 MITRE NVD |
CVE Title: Active Directory Certificate Services Elevation of Privilege Vulnerability
Description: Improper authorization in Active Directory Certificate Services (AD CS) allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. How could an attacker exploit this vulnerability? An authenticated attacker could manipulate attributes associated with a machine account and obtain a certificate from Active Directory Certificate Services that allows authentication as that machine via PKINIT. If a Domain Controller account can be targeted, the attacker could authenticate as the Domain Controller and gain the ability to perform privileged Active Directory operations. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54121 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54121 | Aniq Fakhrul
Muhammad Ali Aniq Fakhrul Aniq Fakhrul Muhammad Ali |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50682 MITRE NVD |
CVE Title: Active Directory Denial of Service Vulnerability
Description: Out-of-bounds read in Windows Active Directory allows an authorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50682 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50682 | WARP and ACS teams at Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50685 MITRE NVD |
CVE Title: Windows DHCP Server Remote Code Execution Vulnerability
Description: Double free in Windows DHCP Server allows an authorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50685 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50685 | WARP and ACS teams at Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50683 MITRE NVD |
CVE Title: Windows DHCP Client Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows DHCP Server allows an authorized attacker to elevate privileges over an adjacent network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50683 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.0 Temporal: 7.0 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50683 | WARP and ACS teams at Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50687 MITRE NVD |
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50687 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50687 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50686 MITRE NVD |
CVE Title: Windows OLE Remote Code Execution Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Windows OLE allows an unauthorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50686 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50686 | Hamza Nauman with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50689 MITRE NVD |
CVE Title: Windows Clipboard Server Elevation of Privilege Vulnerability
Description: Use after free in Windows Clipboard Server allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50689 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50689 | Hamza Nauman with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54125 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54125 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54125 | Arpit Gupta |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50690 MITRE NVD |
CVE Title: Windows SMB Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is unauthorized file system access - reading from the file system. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50690 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50690 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50692 MITRE NVD |
CVE Title: Desktop Window Manager Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Desktop Window Manager allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50692 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50692 | Anonymous Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54128 MITRE NVD |
CVE Title: Windows DHCP Client Remote Code Execution Vulnerability
Description: Use after free in Windows DHCP Client allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54128 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54128 | Owen McCullough with MSRC V&M |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54126 MITRE NVD |
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability? An unauthorized attacker must wait for a user to initiate a connection. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54126 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-54126 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55010 MITRE NVD |
CVE Title: Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Minecraft Bedrock Dedicated Server allows an unauthorized attacker to execute code over a network. FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability? This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency. Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55010 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Minecraft Bedrock Dedicated Server | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-55010 | Ming-Shiang Tzou (ConsoleBreak) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-47290 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47290 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002273 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002273 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-47290 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-47642 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47642 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47642 | Haifei Li with EXPMON |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-48580 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-48580 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-48580 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50301 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50301 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-50301 | Jeongmin Choi(https://x.com/lmksecurity) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50314 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50314 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50314 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50467 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50467 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50467 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55017 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55017 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002273 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002273 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-55017 | Quan Jin with DBAPPSecurity WeBin Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55016 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious link and convince the user to open it. I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55016 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55016 | 41ae55e9310ff27fa6f26af4727e5590 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55024 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55024 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55024 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50408 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50408 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50408 | f4 & Zhiniang Peng with HUST 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55019 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious link and convince the user to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55019 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55019 | 41ae55e9310ff27fa6f26af4727e5590 P1hcn |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55018 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55018 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55018 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55046 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the local memory address. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55046 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55046 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55020 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious link and convince the user to open it. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55020 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55020 | Kn1ght Kn1ght |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55021 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious link and convince the user to open it. I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55021 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55021 | P1hcn |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55022 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55022 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55022 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55023 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the local memory address. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55023 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55023 | Haein Lee HangAn |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55025 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55025 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55025 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55030 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious link and convince the user to open it. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55030 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55030 | P1hcn |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55125 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55125 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55125 | Haein Lee 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55031 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55031 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55031 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55026 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Integer overflow or wraparound in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55026 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55026 | Haein Lee |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55048 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Integer overflow or wraparound in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55048 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55048 | Anonymous 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55034 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious link and convince the user to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55034 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55034 | P1hcn |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55027 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55027 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55027 | Haein Lee Jeongmin Choi |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55029 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55029 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55029 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55028 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55028 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55028 | Haein Lee 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55047 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55047 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55047 | Haein Lee |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55039 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55039 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55039 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55045 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55045 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Critical | Remote Code Execution | None | Base: 8.4 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55045 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55050 MITRE NVD |
CVE Title: Microsoft Word Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55050 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55050 | 0ccbbf129444eb66344ccafb92b00df4 Jeongmin Choi with S2W Haein Lee with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55049 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55049 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002748 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002748 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55049 | 0ccbbf129444eb66344ccafb92b00df4 Jeongmin Choi with S2W haowei yan & xiaozun tang |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55032 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. FAQ: There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55032 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55032 | Haifei Li with EXPMON |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55033 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: Integer overflow or wraparound in Microsoft Office Word allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55033 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55033 | kunlun Lab & GLM Seung Chan Kim Haein Lee with KAIST Hacking Lab Anonymous kunlun Lab & GLM |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55041 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55041 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55041 | Haein Lee with KAIST Hacking Lab yhw & txz Jeongmin Choi |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55138 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55138 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55138 | f4 & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55124 MITRE NVD |
CVE Title: Microsoft Word Information Disclosure Vulnerability
Description: Improper validation of specified type of input in Microsoft Office Word allows an unauthorized attacker to disclose information locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55124 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55124 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55127 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55127 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55127 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55136 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55136 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55136 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55141 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Stack-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55141 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55141 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55129 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55129 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55129 | Haein Lee with KAIST Hacking Lab txz and yhw |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55035 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55035 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55035 | Jeongmin Choi |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55036 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55036 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55036 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55044 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55044 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55044 | Haein Lee with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55055 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: Stack-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55055 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55055 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55054 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55054 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55054 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55037 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55037 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55037 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55058 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55058 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55058 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55038 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: Stack-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55038 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55038 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55132 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: Double free in Microsoft Office Word allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55132 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55132 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55137 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55137 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55137 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55053 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55053 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55053 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55122 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55122 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55122 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55057 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Integer overflow or wraparound in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55057 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55057 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55131 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55131 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55131 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55126 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious link and convince the user to open it. I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55126 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 7.3 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55126 | Vladislav Berghici of TrendAI Research |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55051 MITRE NVD |
CVE Title: Microsoft SharePoint Server Information Disclosure Vulnerability
Description: Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55051 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55051 | P1hcn |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55134 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: Stack-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55134 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55134 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55056 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55056 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55056 | Haein Lee with KAIST Hacking Lab Jeongmin Choi |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55040 MITRE NVD |
CVE Title: Microsoft SharePoint Server Security Feature Bypass Vulnerability
Description: Weak authentication in Microsoft Office SharePoint allows an unauthorized attacker to bypass a security feature over a network. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? The authentication feature could be bypassed as this vulnerability allows impersonation. I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and integrity (I:H), but could lead to no loss of availability (A:N). What does that mean for this vulnerability? Exploiting this vulnerability could allow an attacker to disclose files and modify data, but the attacker cannot impact the availability of the system. How could an attacker exploit this vulnerability? In a network-based attack, an unauthenticated attacker could bypass authentication and make an anonymous connection. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55040 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Critical | Security Feature Bypass | None | Base: 9.1 Temporal: 7.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Critical | Security Feature Bypass | None | Base: 9.1 Temporal: 7.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Critical | Security Feature Bypass | None | Base: 9.1 Temporal: 7.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55040 | Chumy Tsai with CyCraft Technology
khoadha Stephen Fewer with Rapid7 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55142 MITRE NVD |
CVE Title: Microsoft Word Information Disclosure Vulnerability
Description: Numeric truncation error in Microsoft Office Word allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read portions of heap memory. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55142 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55142 | Haein Lee with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55140 MITRE NVD |
CVE Title: Microsoft Office Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55140 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002748 (Security Update) 5002830 (Security Update) |
Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002748 (Security Update) 5002830 (Security Update) |
Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55140 | kunlun Lab & GLM yhw & txz kunlun Lab & GLM |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55128 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55128 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55128 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55130 MITRE NVD |
CVE Title: Microsoft Word Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55130 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (32-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Word 2016 (64-bit edition) | 5002890 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55130 | Haein Lee with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55042 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Use of uninitialized resource in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55042 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55042 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55139 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55139 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55139 | oriotie |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55043 MITRE NVD |
CVE Title: Microsoft PowerPoint Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55043 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft PowerPoint 2016 (32-bit edition) | 5002867 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft PowerPoint 2016 (64-bit edition) | 5002867 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55043 | 0ccbbf129444eb66344ccafb92b00df4 Haein Lee with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55133 MITRE NVD |
CVE Title: Microsoft OneNote Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office OneNote allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55133 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55133 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55123 MITRE NVD |
CVE Title: Microsoft PowerPoint Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55123 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft PowerPoint 2016 (32-bit edition) | 5002867 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft PowerPoint 2016 (64-bit edition) | 5002867 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55123 | yhw & txz 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55120 MITRE NVD |
CVE Title: Microsoft PowerPoint Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55120 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Critical | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft PowerPoint 2016 (32-bit edition) | 5002867 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft PowerPoint 2016 (64-bit edition) | 5002867 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55120 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55052 MITRE NVD |
CVE Title: Microsoft SharePoint Elevation of Privilege Vulnerability
Description: Missing authorization in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network. FAQ: I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application. According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55052 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55052 | odgrso |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55135 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious link and convince the user to open it. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55135 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 4.6 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55135 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVE-2026-50468 MITRE NVD |
CVE Title: Microsoft SQL Server Information Disclosure Vulnerability
Description: Buffer over-read in SQL Server allows an authorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. I am running SQL Server on my system. What action do I need to take? Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50468 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SQL Server 2025 for x64-based Systems (CU6) | 5101346 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (GDR) | 5102333 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50468 | Pwnforr777 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVE-2026-54116 MITRE NVD |
CVE Title: Microsoft SQL Server Information Disclosure Vulnerability
Description: Access of resource using incompatible type ('type confusion') in SQL Server allows an authorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is internal memory pointers. These leaked addresses could help an attacker bypass security protection and facilitate further exploitation. I am running SQL Server on my system. What action do I need to take? Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?
Note If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates.
What are the GDR and CU update designations and how do they differ? The General Distribution Release (GDR) and Cumulative Update (CU) designations correspond to the two different servicing options in place for SQL Server baseline releases. A baseline can be either an RTM release or a Service Pack release.
For any given baseline, either the GDR or CU updates could be options (see below).
Note: You are allowed to make a change from GDR updates to CU updates ONE TIME. Once a SQL Server CU update is applied to a SQL Server installation, there is NO way to go back to the GDR update path. Can the security updates be applied to SQL Server instances on Windows Azure (IaaS)? Yes. SQL Server instances on Windows Azure (IaaS) can be offered the security updates through Microsoft Update, or customers can download the security updates from Microsoft Download Center and apply them manually. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54116 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SQL Server 2025 for x64-based Systems (CU6) | 5101346 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SQL Server 2025 for x64-based Systems (GDR) | 5102333 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-54116 | Pwnforr777 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55145 MITRE NVD |
CVE Title: Outlook Copilot Tampering Vulnerability
Description: Improper neutralization of special elements used in a command ('command injection') in Outlook Copilot allows an authorized attacker to perform tampering over a network. FAQ: How do I protect myself from this vulnerability? Customers can help protect themselves by enabling Outlook's external sender tagging feature to identify untrusted content. This enables Microsoft's provided mitigations to isolate and safely process the untrusted content before it is provided to Microsoft 365 Copilot. Administrators can enable external sender tagging through Exchange Online PowerShell. Refer to the Microsoft Learn documentation for setup instructions and requirements. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Moderate | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| N/A | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55145 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Copilot | Moderate | Tampering | None | Base: 6.3 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-55145 | Håkon Måløy |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54131 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54131 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-54131 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55898 MITRE NVD |
CVE Title: Microsoft Excel Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55898 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55898 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55944 MITRE NVD |
CVE Title: Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability
Description: Deserialization of untrusted data in Microsoft Dynamics NAV allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by sending a specially crafted login request to an affected Dynamics NAV or Business Central server. Successful exploitation could allow the attacker to execute arbitrary code on the target system. Authentication and user interaction are not required. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55944 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Dynamics NAV 2018 | Release Notes (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-55944 | John Nzyuko |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55947 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55947 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55947 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55949 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Use of uninitialized resource in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55949 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Excel 2016 (32-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Excel 2016 (64-bit edition) | 5002886 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Office Online Server | 5002884 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55949 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56156 MITRE NVD |
CVE Title: Microsoft Excel Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution, Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56156 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-56156 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56157 MITRE NVD |
CVE Title: Microsoft SharePoint Server Spoofing Vulnerability
Description: Improper access control in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. FAQ: I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability). Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56157 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-56157 | Henrique Pereira with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-41109 MITRE NVD |
CVE Title: GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
Description: Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio. How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by embedding malicious instructions in user input or external content that is processed, causing it to bypass guardrails, treat those instructions as trusted, and execute unintended actions such as retrieving sensitive data. What kind of security feature could be bypassed by successfully exploiting this vulnerability? Successful exploitation could bypass the path validation safeguards that check which files may be changed and require user approval for sensitive locations, allowing changes to protected files without the user’s knowledge or consent. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-41109 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Visual Studio Code | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-41109 | Alexander Tan |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56159 MITRE NVD |
CVE Title: DHCP Server Service Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows DHCP Server allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An unauthenticated attacker could exploit this vulnerability by sending specially crafted packet to a Dynamic Host Configuration Protocol (DHCP) Server configured to provide data for Option 43. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56159 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56159 | Lewis Lee |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50359 MITRE NVD |
CVE Title: Microsoft XML Core Services Elevation of Privilege Vulnerability
Description: Use after free in Microsoft XML Core Services allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50359 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-50359 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56168 MITRE NVD |
CVE Title: Windows SMB Server Denial of Service Vulnerability
Description: Null pointer dereference in Windows SMB Server allows an authorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56168 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56168 | Mateusz Garncarek with Digital-Missiles Mateusz Garncarek with Digital-Missiles |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56173 MITRE NVD |
CVE Title: Windows WebView Elevation of Privilege Vulnerability
Description: Use after free in Windows WebView allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56173 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 (Server Core installation) | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56173 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56176 MITRE NVD |
CVE Title: Windows Win32k Elevation of Privilege Vulnerability
Description: Out-of-bounds read in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56176 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56176 | lubinradar |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56175 MITRE NVD |
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows NTFS allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56175 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56175 | R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56182 MITRE NVD |
CVE Title: Windows NTFS Elevation of Privilege Vulnerability
Description: Integer overflow or wraparound in Windows NTFS allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56182 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56182 | Thanatos Tian (HKPolyU) & npc0vo & @2st__ with Diffract R4nger with Kunlun Lab & Zhiniang Peng with HUST Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56183 MITRE NVD |
CVE Title: Windows MIDI Service Module Elevation of Privileges Vulnerability
Description: Use after free in Windows MIDI Service Module allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56183 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56183 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56190 MITRE NVD |
CVE Title: Remote Desktop Protocol Remote Code Execution Vulnerability
Description: Use of uninitialized resource in Windows RDP allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by sending specially crafted Remote Desktop Protocol (RDP) traffic to a system where Network Level Authentication (NLA) is disabled. The malicious data can interact with improperly initialized memory in the affected component, leading to memory corruption that the attacker may leverage to control how memory is written. This type of issue can allow an attacker to write data to unintended locations in memory, potentially enabling further compromise of the affected system. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56190 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56190 | CrowdStrike with CrowdStrike |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56184 MITRE NVD |
CVE Title: Win32k Information Disclosure Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain memory address within kernel space. Knowing the exact location of kernel memory could be potentially leveraged by an attacker for other malicious activities. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56184 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56184 | Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56187 MITRE NVD |
CVE Title: Windows MIDI Service Module Elevation of Privileges Vulnerability
Description: Use after free in Windows MIDI Service Module allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56187 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56187 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56186 MITRE NVD |
CVE Title: Windows Secure Channel Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows Schannel allows an authorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56186 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56186 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56188 MITRE NVD |
CVE Title: Windows Server Network driver Remote Code Execution Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Server Network driver allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by sending specially crafted malicious traffic to a vulnerable server. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56188 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 9.8 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56188 | Aaron Esau with V12 Aaron Esau with V12 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56189 MITRE NVD |
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56189 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56189 | vipin kumar |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50665 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50665 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-50665 | Jeongmin Choi Jeongmin Choi |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56192 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56192 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-56192 | Jeongmin Choi SeaDragnoL with Qrious Secure grass |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56195 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56195 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-56195 | 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56196 MITRE NVD |
CVE Title: Windows Admin Center (WAC) Remote Code Execution Vulnerability
Description: Relative path traversal in Windows Admin Center allows an authorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56196 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Admin Center | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56196 | Batuhan Er with HawkTrace |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56197 MITRE NVD |
CVE Title: Windows Admin Center (WAC) Remote Code Execution Vulnerability
Description: Improper neutralization of special elements used in a command ('command injection') in Windows Admin Center allows an authorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56197 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Admin Center | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56197 | sho odagiri with GMO Cybersecurity by Ierae inc Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56178 MITRE NVD |
CVE Title: Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability
Description: Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56178 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Defender for Endpoint for Mac | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-56178 | Mihalis Haatainen with Bountyy Oy |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56642 MITRE NVD |
CVE Title: Microsoft Fabric Data Warehouse Remote Code Execution Vulnerability
Description: Stack-based buffer overflow in Microsoft Fabric Data Warehouse allows an authorized attacker to execute code over a network. FAQ: How could an attacker exploit the vulnerability? An attacker who successfully exploits this vulnerability could achieve remote code execution without user interaction. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56642 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Fabric Data Warehouse | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-56642 | Microsoft Red Team |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56643 MITRE NVD |
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56643 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56643 | Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab Azure Yang with Kunlun Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56644 MITRE NVD |
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56644 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56644 | Minwoo Jeong (P1nkjelly) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54124 MITRE NVD |
CVE Title: Windows Terminal Remote Code Execution Vulnerability
Description: Integer overflow or wraparound in Windows Terminal allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54124 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5095051 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Terminal for Windows 10 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Windows Terminal for Windows 11 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-54124 | Dhiraj Mishra Daniel R |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56194 MITRE NVD |
CVE Title: Windows NFS Server Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Network File System allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56194 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56194 | Brandon Fisher Brandon Fisher |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56647 MITRE NVD |
CVE Title: Windows Remote Access Service Infrastructure Elevation of Privilege Vulnerability
Description: Integer overflow or wraparound in Windows Remote Access Service Infrastructure allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56647 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56647 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56648 MITRE NVD |
CVE Title: Windows NFS Server Elevation of Privilege Vulnerability
Description: Time-of-check time-of-use (toctou) race condition in Windows Network File System allows an authorized attacker to elevate privileges over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56648 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56648 | k0shl |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56649 MITRE NVD |
CVE Title: Windows Network File System Remote Code Execution Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56649 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 5.9 Temporal: 5.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56649 | Linzishan & Anemone & Zhiniang Peng (HUST) |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57083 MITRE NVD |
CVE Title: Windows Media Photo Codec Information Disclosure Vulnerability
Description: Use of uninitialized resource in Microsoft Windows Codecs Library allows an unauthorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57083 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57083 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57084 MITRE NVD |
CVE Title: Windows File Explorer Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows File Explorer allows an unauthorized attacker to disclose information locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57084 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57084 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56650 MITRE NVD |
CVE Title: Windows Network File System Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Network File System allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56650 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56650 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57095 MITRE NVD |
CVE Title: Win32k Elevation of Privilege Vulnerability
Description: Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an unauthorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57095 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57095 | wxz & Thanatos Tian with Diffract |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57090 MITRE NVD |
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57090 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57090 | yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57094 MITRE NVD |
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57094 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57094 | yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57091 MITRE NVD |
CVE Title: Windows File History Service Elevation of Privilege Vulnerability
Description: Stack-based buffer overflow in Windows File History Service allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57091 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57091 | AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57089 MITRE NVD |
CVE Title: Windows SMB Server Network Transport Driver (srvnet.sys) Remote Code Execution Vulnerability
Description: Use after free in Windows SMB Server Network Transport Driver (srvnet.sys) allows an unauthorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57089 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57089 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57085 MITRE NVD |
CVE Title: Windows Print Spooler Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows Print Spooler Components allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Successful exploitation could allow an attacker to read a limited amount of information from the affected system’s memory. This information would be restricted in scope and is not expected to expose large amounts of sensitive data. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57085 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57085 | Noam Pomerantz with Cyberwallglobal |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57092 MITRE NVD |
CVE Title: Microsoft Windows VMSwitch Elevation of Privilege Vulnerability
Description: Use after free in Windows VMSwitch allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could potentially gain elevated privileges on the host system beyond the guest virtual machine boundary. How could an attacker exploit the vulnerability? An attacker could exploit this vulnerability by running code in a guest virtual machine and sending a specially crafted network-related request to the host through the Hyper-V Virtual Switch. Under certain conditions, the request could cause the host to access memory that is no longer valid, potentially resulting in a denial of service or, in more severe cases, elevated privileges on the host system. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57092 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Elevation of Privilege | None | Base: 9.9 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57092 | Microsoft Offensive Research & Security Engineering |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57087 MITRE NVD |
CVE Title: Microsoft Windows Media Foundation Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Windows Media Foundation allows an unauthorized attacker to execute code over a network. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker could attempt to exploit this vulnerability by convincing a user to open a specially crafted media file. If the vulnerable component processes the file, memory corruption could occur, which may allow code to run on the affected system. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57087 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57087 | yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57088 MITRE NVD |
CVE Title: Extensible Storage Engine (ESENT) Elevation of Privilege Vulnerability
Description: Improper access control in Extensible Storage Engine (ESENT) allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain ELEVATED privileges, which may allow them to perform actions beyond their original permissions. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57088 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57088 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57093 MITRE NVD |
CVE Title: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Description: Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57093 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57093 | Soon with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57096 MITRE NVD |
CVE Title: Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57096 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57096 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57101 MITRE NVD |
CVE Title: Visual Studio Code Security Feature Bypass Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57101 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Visual Studio Code | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-57101 | Ammar Askar |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57102 MITRE NVD |
CVE Title: Visual Studio Code Security Feature Bypass Vulnerability
Description: Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57102 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Visual Studio Code | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-57102 | Rubin Ownz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57108 MITRE NVD |
CVE Title: .NET Denial of Service Vulnerability
Description: Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57108 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| .NET 10.0 installed on Linux | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 10.0 installed on Mac OS | 5104034 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Linux | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Mac OS | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 8.0 installed on Windows | 5104032 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Linux | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Mac OS | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| .NET 9.0 installed on Windows | 5104033 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-57108 | 41ae55e9310ff27fa6f26af4727e5590 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57968 MITRE NVD |
CVE Title: Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability
Description: Buffer over-read in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57968 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Subsystem for Linux (WSL2) | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Unknown |
| CVE ID | Acknowledgements |
| CVE-2026-57968 | vurmusum vurmusum |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57973 MITRE NVD |
CVE Title: Windows Subsystem for Linux (WSL2) Kernel Tampering Vulnerability
Description: Time-of-check time-of-use (toctou) race condition in Windows Subsystem for Linux allows an authorized attacker to perform tampering locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Tampering |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57973 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows Subsystem for Linux (WSL2) | Release Notes (Security Update) | Important | Tampering | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-57973 | Kangjun Heo with Chungnam National University Riddhimaan Singh |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57974 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Integer overflow or wraparound in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability? An attacker could attempt to trick a user into interacting with a malicious request that appears legitimate. When the user approves the request, the attacker could cause the app to obtain an access token on the user’s behalf and send it to a location controlled by the attacker, without the user being clearly informed about what access is being granted. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57974 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57974 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57975 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57975 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57975 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57977 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57977 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57977 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-57982 MITRE NVD |
CVE Title: Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows RDP allows an authorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized heap memory. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57982 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-57982 | Sanil Singh Tomar with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-57993 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-57993 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 7.4 Temporal: 6.4 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-57993 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58277 MITRE NVD |
CVE Title: Microsoft SharePoint Elevation of Privilege Vulnerability
Description: Improper authorization in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network. FAQ: I am running SharePoint Server 2016. Do the updates for SharePoint Enterprise Server 2016 also apply to the version I am running? Yes. The same KB number applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. Customers running either version should install the security update to be protected from this vulnerability. What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58277 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-58277 | Rafael Resende Rafael Resende |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58281 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58281 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58281 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58282 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58282 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58282 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58283 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58283 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58283 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58284 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Improper authorization in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58284 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58284 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58285 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58285 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58285 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58286 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58286 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58286 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58287 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58287 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58287 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58288 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58288 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58288 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58289 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58289 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 9.0 Temporal: 7.8 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58289 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58290 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58290 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58290 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58291 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Description: Operation on a resource after expiration or release in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58291 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.1 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58291 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58292 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L) and availability (A:L), and major loss of integrity (I:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability enables an attacker to access data and disrupt services at a medium integrity level, resulting in some loss of confidentiality and availability. However, because the attacker can execute arbitrary code at that level, the vulnerability poses a total loss of integrity, allowing for potentially significant data manipulation. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58292 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58292 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58293 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58293 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58293 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58294 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Use after free in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58294 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58294 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58295 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. FAQ: How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. What kind of security feature could be bypassed by successfully exploiting this vulnerability? An unauthenticated attacker is able to bypass the expected user access. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58295 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58295 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58296 MITRE NVD |
CVE Title: Microsoft Edge for Android Information Disclosure Vulnerability
Description: Exposure of private personal information to an unauthorized actor in Microsoft Edge for Android allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58296 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58296 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58297 MITRE NVD |
CVE Title: Microsoft Edge for Android Information Disclosure Vulnerability
Description: Exposure of private personal information to an unauthorized actor in Microsoft Edge for Android allows an unauthorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58297 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58297 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58298 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58298 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 7.2 Temporal: 6.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58298 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58299 MITRE NVD |
CVE Title: Microsoft Edge for Android Remote Code Execution Vulnerability
Description: Time-of-check time-of-use (toctou) race condition in Microsoft Edge for Android allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted file from the attacker to initiate remote code execution. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58299 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58299 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58300 MITRE NVD |
CVE Title: Microsoft Edge for Android Information Disclosure Vulnerability
Description: Absolute path traversal in Microsoft Edge for Android allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58300 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.2 Temporal: 5.4 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58300 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58522 MITRE NVD |
CVE Title: Microsoft Edge for Android Information Disclosure Vulnerability
Description: Relative path traversal in Microsoft Edge for Android allows an unauthorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58522 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58522 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58523 MITRE NVD |
CVE Title: Microsoft Edge for Android Security Feature Bypass Vulnerability
Description: Improper access control in Microsoft Edge for Android allows an unauthorized attacker to bypass a security feature over a network. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? An unauthenticated attacker is able to bypass the expected user access. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58523 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58523 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58524 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Important | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58524 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Spoofing | None | Base: 5.4 Temporal: 4.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58524 | Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58525 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Description: Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. FAQ: How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. What kind of security feature could be bypassed by successfully exploiting this vulnerability? An unauthenticated attacker is able to bypass the expected user access. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and some loss of integrity (I:L), but no loss of availability (A:N). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could view sensitive information, (Confidentiality), and make some changes to disclosed information (Integrity), but they would not be able to affect Availability. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-08T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58525 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Security Feature Bypass | None | Base: 8.2 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58525 | Asaf Cohen with XBreach.ai Kugelblitz with Microsoft Kugelblitz with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58527 MITRE NVD |
CVE Title: Windows Runtime Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Runtime allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58527 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58527 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58528 MITRE NVD |
CVE Title: Windows USB Audio Class Driver Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58528 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.8 Temporal: 5.9 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58528 | Jonghoi Kim Donghyeon Oh with Patchpoint |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58530 MITRE NVD |
CVE Title: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58530 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58530 | Donghyeon Oh with Patchpoint Jonghoi Kim R4nger with Kunlun Lab & Zhiniang Peng with HUST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58538 MITRE NVD |
CVE Title: Windows Bluetooth Service Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58538 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58538 | Anonymous Anonymous Brandon Fisher Brandon Fisher |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58533 MITRE NVD |
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58533 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58533 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58535 MITRE NVD |
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58535 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58535 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58546 MITRE NVD |
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description: Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58546 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58546 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58539 MITRE NVD |
CVE Title: Windows Remote Desktop Client Information Disclosure Vulnerability
Description: Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58539 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Information Disclosure | None | Base: 6.5 Temporal: 5.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58539 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab 0ccbbf129444eb66344ccafb92b00df4 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58540 MITRE NVD |
CVE Title: Windows Installer Elevation of Privilege Vulnerability
Description: Improper authorization in Windows Installer allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58540 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58540 | JaGoTu with DCIT, a.s. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58531 MITRE NVD |
CVE Title: Windows SMB Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB allows an authorized attacker to elevate privileges over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58531 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58531 | grass341 with Viettel Cyber Security |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58532 MITRE NVD |
CVE Title: Windows Kernel Elevation of Privilege Vulnerability
Description: Integer overflow or wraparound in Windows Kernel allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58532 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58532 | aprilpet |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58537 MITRE NVD |
CVE Title: Microsoft NAT Helper Components (ipnathlp.dll) Elevation of Privilege Vulnerability
Description: Use after free in Microsoft NAT Helper Components (ipnathlp.dll) allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58537 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58537 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58534 MITRE NVD |
CVE Title: Windows Input Method Editor (IME) Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Microsoft Input Method Editor (IME) allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58534 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58534 | Pwnforr777 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58536 MITRE NVD |
CVE Title: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Description: Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58536 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58536 | Chen Le Qi (@cplearns2h4ck) with STAR Labs SG Pte. Ltd. |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58547 MITRE NVD |
CVE Title: Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability
Description: Heap-based buffer overflow in Universal Plug and Play (upnp.dll) allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58547 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58547 | Q4n with Kunlun Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58545 MITRE NVD |
CVE Title: Windows Kernel Security Feature Bypass Vulnerability
Description: Improper access control in Windows Kernel allows an authorized attacker to bypass a security feature locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58545 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58545 | Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58544 MITRE NVD |
CVE Title: Windows Management Services Elevation of Privilege Vulnerability
Description: Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58544 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58544 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58542 MITRE NVD |
CVE Title: Windows Media Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58542 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Critical | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58542 | Kyeongmin Kim (@hareh4ru) with KAIST Hacking Lab |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58543 MITRE NVD |
CVE Title: Universal Print Management Service Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58543 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 6.3 Temporal: 5.5 Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58543 | AIフィジカルインターフェイス二号機 |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58541 MITRE NVD |
CVE Title: Microsoft DWM Core Library Elevation of Privilege Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Windows DWM allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58541 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58541 | Varun Goel yhw & txz |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58594 MITRE NVD |
CVE Title: Remote Desktop Client Remote Code Execution Vulnerability
Description: Integer overflow or wraparound in Windows RDP allows an unauthorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58594 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58594 | Sanil Singh Tomar with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58596 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Description: Untrusted pointer dereference in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network. FAQ: How could an attacker exploit this vulnerability via the Network? An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email. What is the version information for this release?
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to craft deceptive or invisible form elements and user to perform two sequential taps. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain the privileges of the authenticated user. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58596 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58596 | deepsleep |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-58597 MITRE NVD |
CVE Title: Microsoft Edge (Chromium-based) Spoofing Vulnerability
Description: Insufficient ui warning of dangerous operations in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. FAQ: What is the version information for this release?
According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability? Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user must visit the attacker‑controlled webpage, and perform the two tap gestures that cause autofill to activate. Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Low | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58597 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Low | Spoofing | None | Base: 4.3 Temporal: 3.8 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C |
No |
| CVE ID | Acknowledgements |
| CVE-2026-58597 | Azza Tegar Naufal Ataullah |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13954 MITRE NVD |
CVE Title: Chromium: CVE-2026-13954 Insufficient policy enforcement in XML
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13954 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13954 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13796 MITRE NVD |
CVE Title: Chromium: CVE-2026-13796 Integer overflow in Chromecast
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:56     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13796 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13796 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13799 MITRE NVD |
CVE Title: Chromium: CVE-2026-13799 Use after free in QUIC
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:00     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13799 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13799 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13800 MITRE NVD |
CVE Title: Chromium: CVE-2026-13800 Inappropriate implementation in Updater
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:01     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13800 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13800 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13806 MITRE NVD |
CVE Title: Chromium: CVE-2026-13806 Insufficient validation of untrusted input in Accessibility
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:07     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13806 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13806 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13810 MITRE NVD |
CVE Title: Chromium: CVE-2026-13810 Inappropriate implementation in Input
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:08     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13810 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13810 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13811 MITRE NVD |
CVE Title: Chromium: CVE-2026-13811 Use after free in IME
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:10     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13811 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13811 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13815 MITRE NVD |
CVE Title: Chromium: CVE-2026-13815 Use after free in Blink
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:12     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13815 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13815 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13818 MITRE NVD |
CVE Title: Chromium: CVE-2026-13818 Inappropriate implementation in Passwords
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:14     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13818 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13818 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13814 MITRE NVD |
CVE Title: Chromium: CVE-2026-13814 Use after free in Views
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:30     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13814 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13814 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13817 MITRE NVD |
CVE Title: Chromium: CVE-2026-13817 Insufficient validation of untrusted input in Glic
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:13     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13817 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13817 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13821 MITRE NVD |
CVE Title: Chromium: CVE-2026-13821 Use after free in Canvas
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:17     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13821 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13821 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13820 MITRE NVD |
CVE Title: Chromium: CVE-2026-13820 Out of bounds read in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:16     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13820 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13820 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13823 MITRE NVD |
CVE Title: Chromium: CVE-2026-13823 Use after free in Glic
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:18     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13823 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13823 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13824 MITRE NVD |
CVE Title: Chromium: CVE-2026-13824 Insufficient validation of untrusted input in Extensions
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:19     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13824 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13824 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-13828 MITRE NVD |
CVE Title: Chromium: CVE-2026-13828 Inappropriate implementation in Enterprise
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:20     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13828 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13828 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13829 MITRE NVD |
CVE Title: Chromium: CVE-2026-13829 Insufficient validation of untrusted input in Settings
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:22     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13829 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13829 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13830 MITRE NVD |
CVE Title: Chromium: CVE-2026-13830 Use after free in Chromoting
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:23     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13830 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13830 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13831 MITRE NVD |
CVE Title: Chromium: CVE-2026-13831 Use after free in GPU
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:24     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13831 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13831 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13834 MITRE NVD |
CVE Title: Chromium: CVE-2026-13834 Insufficient validation of untrusted input in ANGLE
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:27     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13834 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13834 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13832 MITRE NVD |
CVE Title: Chromium: CVE-2026-13832 Use after free in Headless
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:31     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13832 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13832 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13836 MITRE NVD |
CVE Title: Chromium: CVE-2026-13836 Inappropriate implementation in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:30     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13836 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13836 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13835 MITRE NVD |
CVE Title: Chromium: CVE-2026-13835 Inappropriate implementation in XML
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:28     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13835 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13835 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13837 MITRE NVD |
CVE Title: Chromium: CVE-2026-13837 Inappropriate implementation in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:31     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13837 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13837 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13838 MITRE NVD |
CVE Title: Chromium: CVE-2026-13838 Inappropriate implementation in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:32     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13838 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13838 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13839 MITRE NVD |
CVE Title: Chromium: CVE-2026-13839 Inappropriate implementation in CSS
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:33     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13839 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13839 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13840 MITRE NVD |
CVE Title: Chromium: CVE-2026-13840 Insufficient policy enforcement in Canvas
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:35     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13840 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13840 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13841 MITRE NVD |
CVE Title: Chromium: CVE-2026-13841 Integer overflow in Skia
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:36     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13841 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13841 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13844 MITRE NVD |
CVE Title: Chromium: CVE-2026-13844 Use after free in Updater
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:37     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13844 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13844 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact | ||||||
| CVE-2026-13845 MITRE NVD |
CVE Title: Chromium: CVE-2026-13845 Use after free in DOM
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. FAQ: Why is this Chrome CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. How can I see the version of the browser?
What is the version information for this release?
Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T07:00:33     Information published. |
Unknown | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Not Found | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-13845 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Edge (Chromium-based) | Release Notes (Security Update) | Unknown | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-13845 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-47305 MITRE NVD |
CVE Title: Visual Studio Remote Code Execution Vulnerability
Description: Protection mechanism failure in Visual Studio allows an unauthorized attacker to execute code locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-47305 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Visual Studio 2022 version 17.12 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2022 version 17.14 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Visual Studio 2026 version 18.7 | Release Notes (Security Update) | Important | Remote Code Execution | None | Base: N/A Temporal: N/A Vector: N/A |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-47305 | Arun T |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58613 MITRE NVD |
CVE Title: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Description: Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58613 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58613 | Marcin 'Icewall' Noga with Cisco Talos Marcin 'Icewall' Noga with Cisco Talos |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58617 MITRE NVD |
CVE Title: M365 Copilot for iOS Elevation of Privilege Vulnerability
Description: Improper access control in Microsoft 365 Copilot for iOS allows an unauthorized attacker to elevate privileges over a network. FAQ: According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58617 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Copilot for iOS | Release Notes (Security Update) | Important | Elevation of Privilege | None | Base: 8.1 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-58617 | Ofek Levin with Enclave |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58619 MITRE NVD |
CVE Title: Windows Sensor Data Service Elevation of Privilege Vulnerability
Description: Use after free in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58619 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58619 | k0shl k0shl |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58626 MITRE NVD |
CVE Title: Windows Remote Desktop Services Remote Code Execution Vulnerability
Description: Use after free in Windows Remote Desktop Services allows an authorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? An authenticated attacker could exploit this vulnerability by connecting to a target system via Remote Desktop Protocol (RDP) and sending specially crafted requests that trigger a use-after-free condition in the Remote Desktop service, allowing the attacker to execute arbitrary code on the target system. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? An attacker must first have access to a Windows system as an authenticated user and then use that system to establish a connection to the target server and send the malicious data that triggers the vulnerability. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58626 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58626 | Daniel R |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58627 MITRE NVD |
CVE Title: Windows DHCP Server Denial of Service Vulnerability
Description: Uncontrolled resource consumption in Windows DHCP Server allows an unauthorized attacker to deny service over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Denial of Service |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58627 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Denial of Service | None | Base: 7.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58627 | Anil Lulla with Microsoft |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58628 MITRE NVD |
CVE Title: Windows Wireless Network Manager Elevation of Privilege Vulnerability
Description: Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Wireless Networking allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58628 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58628 | Arpit Gupta |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58629 MITRE NVD |
CVE Title: DirectX Graphics Kernel Elevation of Privilege Vulnerability
Description: Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited the vulnerability could execute code in the kernel. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58629 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for ARM64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 23H2 for x64-based Systems | 5099414 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 (Server Core installation) | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58629 | gengstah Dung Do of Calif.io |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58632 MITRE NVD |
CVE Title: Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
Description: Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58632 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58632 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58633 MITRE NVD |
CVE Title: Desktop Window Manager Elevation of Privilege Vulnerability
Description: Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58633 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58633 | Seung Chan Kim |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58634 MITRE NVD |
CVE Title: Desktop Window Manager Elevation of Privilege Vulnerability
Description: Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58634 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58634 | Varun Goel |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58637 MITRE NVD |
CVE Title: Windows Client-Side Caching Elevation of Privilege Vulnerability
Description: Use after free in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? A domain user could use this vulnerability to elevate privileges to SYSTEM assigned integrity level. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58637 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1607 for 32-bit Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1607 for x64-based Systems | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Elevation of Privilege | None | Base: 7.0 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58637 | z1r0 Byunghyun Kang with KAIST |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58638 MITRE NVD |
CVE Title: Windows Boot Loader Security Feature Bypass Vulnerability
Description: Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Security Feature Bypass |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58638 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 10 Version 1809 for 32-bit Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 1809 for x64-based Systems | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 21H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for 32-bit Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for ARM64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 10 Version 22H2 for x64-based Systems | 5099539 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 | 5099445 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 (Server Core installation) | 5099445 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 | 5099444 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2012 R2 (Server Core installation) | 5099444 (Monthly Rollup) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2016 (Server Core installation) | 5099535 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2019 (Server Core installation) | 5099538 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2022 | 5099540 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Important | Security Feature Bypass | None | Base: 6.0 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58638 | Stas Lyakhov with Eclypsium |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56181 MITRE NVD |
CVE Title: Windows Network Address Translation (NAT) Spoofing Vulnerability
Description: Origin validation error in Windows Network Address Translation (NAT) allows an unauthorized attacker to perform spoofing over an adjacent network. FAQ: According to the CVSS metric, the attack vector is adjacent (AV:A). What does that mean for this vulnerability? This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require machine-in-the-middle (MITM) type setups or that rely on initially gaining a foothold in another environment. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Moderate | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56181 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 24H2 for ARM64-based Systems | 5101650 (Security Update) | Moderate | Spoofing | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 24H2 for x64-based Systems | 5101650 (Security Update) | Moderate | Spoofing | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for ARM64-based Systems | 5101650 (Security Update) | Moderate | Spoofing | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 25H2 for x64-based Systems | 5101650 (Security Update) | Moderate | Spoofing | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Moderate | Spoofing | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Moderate | Spoofing | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 | 5099536 (Security Update) | Moderate | Spoofing | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Windows Server 2025 (Server Core installation) | 5099536 (Security Update) | Moderate | Spoofing | None | Base: 8.3 Temporal: 7.2 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-56181 | Malcolm Stagg with SODIUM-24, LLC |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55121 MITRE NVD |
CVE Title: Microsoft Office Information Disclosure Vulnerability
Description: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), no loss to integrity (I:N) and lead to some loss of availability (A:L). What is the impact of this vulnerability? Successful exploitation of this vulnerability could allow an attacker to access limited sensitive information from system memory and may cause intermittent interruptions or reduced performance in the affected application. However, it would not allow the attacker to modify data. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55121 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2016 (32-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2016 (64-bit edition) | 5002887 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office 2019 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 2019 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office 365 for Mac | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC 2021 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2021 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 32-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC 2024 for 64-bit editions | Click to Run (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
No |
| Microsoft Office LTSC for Mac 2021 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft Office LTSC for Mac 2024 | Release Notes (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Enterprise Server 2016 | 5002891 (Security Update) 5002892 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server 2019 | 5002883 (Security Update) 5002885 (Security Update) |
Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| Microsoft SharePoint Server Subscription Edition | 5002882 (Security Update) | Important | Information Disclosure | None | Base: 5.5 Temporal: 4.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Maybe |
| CVE ID | Acknowledgements |
| CVE-2026-55121 | Haein Lee |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58529 MITRE NVD |
CVE Title: Windows Active Directory Federation Services (ADFS) Information Disclosure Vulnerability
Description: Out-of-bounds read in Active Directory Federation Services (AD FS) allows an authorized attacker to disclose information over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Information Disclosure |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58529 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Windows 11 Version 26H1 for ARM64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| Windows 11 version 26H1 for x64-based Systems | 5101649 (Security Update) | Important | Information Disclosure | None | Base: 7.1 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-58529 | Anonymous |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53355 MITRE NVD |
CVE Title: net: rds: clear i_sends on setup unwind
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-02T14:43:58     Information published. 1.0    2026-07-02T01:03:30     Information published. 3.0    2026-07-09T14:49:56     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53355 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53355 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53347 MITRE NVD |
CVE Title: drm/virtio: Fix driver removal with disabled KMS
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:04:20     Information published. 2.0    2026-07-02T14:44:42     Information published. 3.0    2026-07-09T14:50:12     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53347 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53347 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53343 MITRE NVD |
CVE Title: ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:04:59     Information published. 2.0    2026-07-02T14:45:20     Information published. 3.0    2026-07-09T14:51:00     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53343 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.1 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53343 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53329 MITRE NVD |
CVE Title: drm/amd/display: Use krealloc_array() in dal_vector_reserve()
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-02T14:45:02     Information published. 3.0    2026-07-09T14:50:35     Information published. 1.0    2026-07-02T01:04:39     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53329 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.1 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53329 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53352 MITRE NVD |
CVE Title: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:04:33     Information published. 2.0    2026-07-02T14:44:55     Information published. 3.0    2026-07-09T14:50:28     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53352 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53352 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53349 MITRE NVD |
CVE Title: netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:04:46     Information published. 2.0    2026-07-02T14:45:08     Information published. 3.0    2026-07-09T14:50:45     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53349 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53349 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56149 MITRE NVD |
CVE Title: Allocation of Resources Without Limits or Throttling in Elasticsearch Leading to Denial of Service
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T01:02:04     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56149 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 rubygem-elasticsearch 8.9.0-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 4.9 Temporal: 4.9 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-56149 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-14258 MITRE NVD |
CVE Title: Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-05T14:43:33     Information published. 3.0    2026-07-06T14:45:18     Information published. 1.0    2026-07-03T01:03:50     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14258 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 dhcpcd 10.0.8-2 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 6.5 Temporal: 6.5 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| azl3 dhcpcd 10.0.8-4 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 6.5 Temporal: 6.5 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14258 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50721 MITRE NVD |
CVE Title: IKEv1 Denial of Service via RSA-SHA1 (PKCS#1 Version 1.5 Encrypted) authentication payload
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-04T01:03:02     Information published. 2.0    2026-07-09T14:39:28     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50721 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 libreswan 4.15-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 8.1 Temporal: 8.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-50721 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-50722 MITRE NVD |
CVE Title: IKEv2 Denial of Service via RSA-SHA1 (PKCS#1 RSASSA-PKCS1-v1_5) authentication payload
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-04T01:03:08     Information published. 2.0    2026-07-09T14:39:37     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-50722 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 libreswan 4.15-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 8.1 Temporal: 8.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-50722 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-9545 MITRE NVD |
CVE Title: exposing HTTP/3 early data
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-07T01:41:09     Information published. 3.0    2026-07-09T01:46:22     Information published. 1.0    2026-07-04T01:04:22     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-9545 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P |
Unknown | |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-9545 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-12413 MITRE NVD |
CVE Title: IKEv2 Denial of Service via malformed fragmentation
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-04T01:03:15     Information published. 2.0    2026-07-09T14:39:45     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-12413 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 libreswan 4.15-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-12413 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-8932 MITRE NVD |
CVE Title: incomplete mTLS config matching in conn reuse
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-04T01:04:54     Information published. 2.0    2026-07-07T01:41:30     Information published. 3.0    2026-07-09T01:46:48     Information published. 4.0    2026-07-12T14:47:57     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-8932 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 cmake 3.30.3-14 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P |
Unknown | |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.5 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P |
No |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-8932 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-9547 MITRE NVD |
CVE Title: SSH improper host validation
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-06T14:46:35     Information published. 3.0    2026-07-09T01:47:17     Information published. 1.0    2026-07-04T01:05:15     Information published. |
Critical | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-9547 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 cmake 3.30.3-14 on Azure Linux 3.0 | Critical | Unknown | None | Base: 9.1 Temporal: 9.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Unknown | |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | Critical | Unknown | None | Base: 9.1 Temporal: 9.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Unknown | |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Critical | Unknown | None | Base: 9.1 Temporal: 9.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Critical | Unknown | None | Base: 9.1 Temporal: 9.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Critical | Unknown | None | Base: 9.1 Temporal: 9.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Unknown | |
| azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.4 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-9547 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-8458 MITRE NVD |
CVE Title: wrong reuse for different services
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-04T01:06:19     Information published. 2.0    2026-07-07T01:42:14     Information published. 3.0    2026-07-07T14:41:25     Information published. 4.0    2026-07-09T01:48:27     Information published. 5.0    2026-07-12T14:48:23     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-8458 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 cmake 3.30.3-14 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Unknown | |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 6.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
No |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-8458 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-8924 MITRE NVD |
CVE Title: trailing dot domain super cookie
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-07T01:41:55     Information published. 3.0    2026-07-09T01:48:07     Information published. 1.0    2026-07-04T01:05:58     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-8924 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 cmake 3.30.3-14 on Azure Linux 3.0 | Important | Unknown | None | Base: 9.1 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P |
Unknown | |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | Important | Unknown | None | Base: 9.1 Temporal: 8.6 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P |
Unknown | |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-8924 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-10536 MITRE NVD |
CVE Title: HTTP/2 stream-dependency tree UAF
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 3.0    2026-07-09T01:48:59     Information published. 3.1    2026-07-10T14:40:19     Information published. 4.0    2026-07-12T14:49:23     Information published. 1.0    2026-07-04T01:07:25     Information published. 2.0    2026-07-07T01:42:55     Information published. 3.2    2026-07-11T14:38:42     Information published. |
Low | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-10536 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 cmake 3.30.3-14 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.5 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P |
Unknown | |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 4.7 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P |
No |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-10536 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-11856 MITRE NVD |
CVE Title: cross-origin Digest auth state leak
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-06T14:46:55     Information published. 3.0    2026-07-09T01:47:43     Information published. 1.0    2026-07-04T01:05:36     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-11856 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 cmake 3.30.3-14 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-11856 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-8286 MITRE NVD |
CVE Title: wrong STARTTLS connection reuse
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 4.0    2026-07-12T14:49:04     Information published. 1.0    2026-07-04T01:06:52     Information published. 2.0    2026-07-07T01:42:34     Information published. 3.0    2026-07-09T01:50:03     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-8286 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 cmake 3.30.3-14 on Azure Linux 3.0 | Important | Unknown | None | Base: 8.1 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P |
Unknown | |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 8.1 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P |
No |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-8286 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-8926 MITRE NVD |
CVE Title: password leak with netrc and user in URL
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-07T01:43:09     Information published. 1.0    2026-07-04T01:07:40     Information published. 3.0    2026-07-09T01:49:37     Information published. 3.1    2026-07-10T14:40:29     Information published. 4.0    2026-07-12T14:49:44     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-8926 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.9 Temporal: 5.6 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P |
No |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Critical | Unknown | None | Base: 9.1 Temporal: 9.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-8926 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-9080 MITRE NVD |
CVE Title: UAF after pause in socket callback
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-04T01:07:52     Information published. 2.0    2026-07-07T01:43:20     Information published. 3.0    2026-07-09T01:49:11     Information published. |
Low | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-9080 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-9080 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-8925 MITRE NVD |
CVE Title: SASL double-free
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-06T14:47:19     Information published. 1.0    2026-07-04T01:08:05     Information published. 3.0    2026-07-09T01:49:49     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-8925 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.9 Temporal: 5.9 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.9 Temporal: 5.9 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.9 Temporal: 5.9 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-8925 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53362 MITRE NVD |
CVE Title: ipv6: account for fraggap on the paged allocation path
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-06T14:47:38     Information published. 1.0    2026-07-05T01:03:10     Information published. 3.0    2026-07-08T14:47:02     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53362 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.3 Temporal: 7.3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53362 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53359 MITRE NVD |
CVE Title: KVM: x86: Fix shadow paging use-after-free due to unexpected role
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-05T01:03:16     Information published. 2.0    2026-07-07T14:41:35     Information published. 3.0    2026-07-08T14:47:09     Information published. 4.0    2026-07-09T01:50:15     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53359 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.0 Temporal: 7.0 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53359 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-14355 MITRE NVD |
CVE Title: ext/openssl: Memory corruption in openssl_encrypt with AES-WRAP-PAD
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-06T14:47:27     Information published. 1.0    2026-07-05T01:02:57     Information published. 3.0    2026-07-09T01:50:09     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14355 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 openssl 3.3.7-3 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.6 Temporal: 5.6 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
Unknown | |
| azl3 php 8.3.31-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.6 Temporal: 5.6 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-14355 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53361 MITRE NVD |
CVE Title: af_unix: Set gc_in_progress to true in unix_gc().
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-06T14:47:33     Information published. 1.0    2026-07-05T01:03:04     Information published. 3.0    2026-07-08T14:46:54     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53361 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 4.5 Temporal: 4.5 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53361 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55952 MITRE NVD |
CVE Title: TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-07T01:01:15     Information published. 2.0    2026-07-09T01:50:21     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55952 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 erlang 26.2.5.21-2 on Azure Linux 3.0 | Important | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-55952 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54886 MITRE NVD |
CVE Title: SSH SFTP server denial of service via extended channel data infinite loop
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-11T01:40:30     Information published. 1.0    2026-07-07T01:01:22     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54886 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 erlang 26.2.5.21-2 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-54886 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-12480 MITRE NVD |
CVE Title: Arbitrary HDF5 File Read via Virtual Dataset Bypass in keras-team/keras
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-14T01:38:59     Information published. 1.0    2026-07-07T01:01:38     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-12480 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 keras 3.3.3-7 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.5 Temporal: 5.2 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P |
No |
| CVE ID | Acknowledgements |
| CVE-2026-12480 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-14647 MITRE NVD |
CVE Title: onnx onnxruntime old.cc convPoolShapeInference_opset19 out-of-bounds
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-07T01:01:44     Information published. |
Low | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14647 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 pytorch 2.2.2-15 on Azure Linux 3.0 | Low | Unknown | None | Base: 4.3 Temporal: 3.9 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-14647 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59997 MITRE NVD |
CVE Title: internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:01:15     Information published. 2.0    2026-07-12T14:50:41     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59997 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 openssh 9.8p1-8 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 4.2 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
No |
| CVE ID | Acknowledgements |
| CVE-2026-59997 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59996 MITRE NVD |
CVE Title: scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-12T14:50:58     Information published. 1.0    2026-07-09T01:01:22     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59996 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 openssh 9.8p1-8 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 4.2 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L |
No |
| CVE ID | Acknowledgements |
| CVE-2026-59996 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59995 MITRE NVD |
CVE Title: sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:01:28     Information published. 2.0    2026-07-12T14:51:17     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59995 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 openssh 9.8p1-8 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 4.2 Temporal: 4.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L |
No |
| CVE ID | Acknowledgements |
| CVE-2026-59995 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-60001 MITRE NVD |
CVE Title: sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:01:35     Information published. 2.0    2026-07-12T14:51:37     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-60001 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 openssh 9.8p1-8 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 6.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
No |
| CVE ID | Acknowledgements |
| CVE-2026-60001 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-60000 MITRE NVD |
CVE Title: sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:01:41     Information published. 2.0    2026-07-12T14:51:55     Information published. |
Low | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-60000 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 openssh 9.8p1-8 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Low | Unknown | None | Base: 3.7 Temporal: 3.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
No |
| CVE ID | Acknowledgements |
| CVE-2026-60000 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59999 MITRE NVD |
CVE Title: In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:01:47     Information published. 2.0    2026-07-12T14:52:14     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59999 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 openssh 9.8p1-8 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.9 Temporal: 5.9 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
No |
| CVE ID | Acknowledgements |
| CVE-2026-59999 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-60002 MITRE NVD |
CVE Title: ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:01:53     Information published. 2.0    2026-07-12T14:52:35     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-60002 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 openssh 9.8p1-8 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.7 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L |
No |
| CVE ID | Acknowledgements |
| CVE-2026-60002 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56002 MITRE NVD |
CVE Title: libXfont2 PCF Font Parsing Heap Buffer Overflow
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:02:13     Information published. 2.0    2026-07-12T14:53:31     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56002 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 libXfont2 2.0.6-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 8.5 Temporal: 7.8 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56002 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56000 MITRE NVD |
CVE Title: xorg-x11-server / xwayland GLX contextTags Use-After-Free in CommonMakeCurrent()
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:02:26     Information published. 2.0    2026-07-11T01:08:33     Information published. 3.0    2026-07-12T14:54:03     Information published. |
Critical | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56000 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 wayland 1.22.0-1 on Azure Linux 3.0 | Critical | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| azl3 xorg-x11-server-Xwayland 24.1.12-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56000 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-38968 MITRE NVD |
CVE Title: ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:02:45     Information published. |
Critical | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-38968 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 ntopng 5.2.1-6 on Azure Linux 3.0 | Critical | Unknown | None | Base: 9.8 Temporal: 9.0 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-38968 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-38969 MITRE NVD |
CVE Title: ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling.
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:02:55     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-38969 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 ruby 3.3.5-8 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 7.5 Temporal: 6.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U |
Unknown | |
| azl3 rubygem-webrick 1.8.1-3 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 7.5 Temporal: 6.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-38969 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54908 MITRE NVD |
CVE Title: Pion DTLS: Denial of service via panic while parsing a crafted ECDHE_PSK ServerKeyExchange message
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-11T01:41:05     Information published. 1.0    2026-07-09T01:03:02     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54908 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 telegraf 1.31.0-23 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-54908 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56288 MITRE NVD |
CVE Title: NULL Pointer Dereference in GNU patch
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-10T01:01:37     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56288 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kpatch 0.9.8-3 on Azure Linux 3.0 | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| azl3 patch 2.7.6-9 on Azure Linux 3.0 | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-56288 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59856 MITRE NVD |
CVE Title: Vim: Arbitrary Code Execution via PHP Omni-Completion
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:01:16     Information published. 2.0    2026-07-12T14:55:22     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59856 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 vim 9.2.0735-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.8 Temporal: 7.8 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-59856 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-20214 MITRE NVD |
CVE Title: ClamAV FSG File Format Processing Out-of-Bounds Memory Corruption Vulnerability
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:01:29     Information published. 2.0    2026-07-12T14:56:03     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-20214 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 clamav 1.5.2-3 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-20214 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-20215 MITRE NVD |
CVE Title: ClamAV 7Zip File Format Processing Out-of-Bounds Memory Corruption Vulnerability
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:01:35     Information published. 2.0    2026-07-12T14:56:22     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-20215 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 clamav 1.5.2-3 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-20215 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-20216 MITRE NVD |
CVE Title: ClamAV InstallShield File Format Processing Resource Exhaustion Vulnerability
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:01:41     Information published. 2.0    2026-07-12T14:56:40     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-20216 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 clamav 1.5.2-3 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-20216 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-20217 MITRE NVD |
CVE Title: ClamAV PESpin File Format Processing Out-of-Bounds Memory Corruption Vulnerability
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:01:47     Information published. 2.0    2026-07-12T14:56:58     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-20217 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 clamav 1.5.2-3 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-20217 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-20244 MITRE NVD |
CVE Title: ClamAV DMG File Processing Denial of Service Vulnerability
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-12T14:57:41     Information published. 1.0    2026-07-11T01:02:00     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-20244 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 clamav 1.5.2-3 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-20244 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59998 MITRE NVD |
CVE Title: sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:02:59     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59998 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 openssh 9.8p1-8 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 4.8 Temporal: 4.8 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59998 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-14380 MITRE NVD |
CVE Title: DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:06:39     Information published. 2.0    2026-07-12T14:58:35     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14380 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 perl-DBI 1.643-5 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 8.8 Temporal: 8.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14380 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-14740 MITRE NVD |
CVE Title: DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:06:45     Information published. 2.0    2026-07-12T14:58:52     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14740 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 perl-DBI 1.643-5 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 9.1 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14740 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59926 MITRE NVD |
CVE Title: Mistune: XSS via unescaped class option in Admonition directive
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:06:59     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59926 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.1 Temporal: 6.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59926 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59925 MITRE NVD |
CVE Title: inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:07:05     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59925 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59925 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59930 MITRE NVD |
CVE Title: Mistune toc / TableOfContents directive: heading IDs use predictable `toc_N` numbering with no slugification, allowing collision with attacker-controlled `id="toc_N"` content
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:07:18     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59930 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 4.3 Temporal: 4.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59930 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59890 MITRE NVD |
CVE Title: setuptools: MANIFEST.in exclusion bypass in sdist via Unicode normalization collision (NFC/NFD) on macOS APFS/HFS+
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-13T14:40:57     Information published. 1.0    2026-07-11T01:07:37     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59890 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 python3 3.12.9-13 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.1 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N |
Unknown | |
| azl3 python-pip 24.2-9 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.1 Temporal: 5.6 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U |
Unknown | |
| azl3 python-setuptools 69.0.3-5 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 6.1 Temporal: 5.6 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U |
No |
| azl3 python-virtualenv 20.36.1-5 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.1 Temporal: 5.6 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U |
Unknown | |
| azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.1 Temporal: 6.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59890 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58207 MITRE NVD |
CVE Title: NATS Server: Remote crash via integer overflow in Connz pagination
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:07:49     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58207 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 telegraf 1.31.0-23 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.7 Temporal: 7.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-58207 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58251 MITRE NVD |
CVE Title: NATS Server: Queue Subscribe Authz Bypass
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:07:55     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58251 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 telegraf 1.31.0-23 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.5 Temporal: 6.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-58251 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58208 MITRE NVD |
CVE Title: NATS Server: MQTT-over-WebSocket Path Can Crash WebSocket-Only JetStream Servers Before MQTT Is Enabled
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:08:02     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58208 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 telegraf 1.31.0-23 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.8 Temporal: 6.2 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-58208 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58252 MITRE NVD |
CVE Title: NATS Server: Subscribe Authz Bypass via Wildcard-Overlap
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:08:14     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58252 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 telegraf 1.31.0-23 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.5 Temporal: 6.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-58252 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58209 MITRE NVD |
CVE Title: NATS Server: MQTT retained and QoS replay bypass subscribe deny filters
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:08:20     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58209 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 telegraf 1.31.0-23 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 4.3 Temporal: 4.0 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-58209 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58253 MITRE NVD |
CVE Title: NATS Server: Route API Auth Bypass
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:08:26     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58253 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 telegraf 1.31.0-23 on Azure Linux 3.0 | Important | Unknown | None | Base: 8.8 Temporal: 8.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-58253 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-40468 MITRE NVD |
CVE Title: Heap buffer overflow in gawk
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T01:01:35     Information published. |
Low | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-40468 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 gawk 5.2.2-1 on Azure Linux 3.0 | Low | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-40468 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53354 MITRE NVD |
CVE Title: arm64: errata: Mitigate TLBI errata on various Arm CPUs
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:03:11     Information published. 2.0    2026-07-02T14:43:39     Information published. 3.0    2026-07-09T01:44:00     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53354 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.1 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-53354 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-41579 MITRE NVD |
CVE Title: runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:03:03     Information published. 2.0    2026-07-05T14:42:07     Information published. |
Low | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-41579 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 runc 1.3.3-2 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Low | Unknown | None | Base: 3.3 Temporal: 3.3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
No |
| CVE ID | Acknowledgements |
| CVE-2026-41579 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53345 MITRE NVD |
CVE Title: KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:03:18     Information published. 2.0    2026-07-02T14:43:46     Information published. 3.0    2026-07-09T01:44:09     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53345 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.5 Temporal: 6.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-53345 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53332 MITRE NVD |
CVE Title: slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-02T14:44:05     Information published. 1.0    2026-07-02T01:03:36     Information published. 3.0    2026-07-09T01:44:16     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53332 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-53332 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53336 MITRE NVD |
CVE Title: nvmem: layouts: onie-tlv: fix hang on unknown types
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:03:55     Information published. 2.0    2026-07-02T14:44:24     Information published. 3.0    2026-07-09T01:44:34     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53336 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-53336 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53327 MITRE NVD |
CVE Title: debugobjects: Do not fill_pool() if pi_blocked_on
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-02T14:44:11     Information published. 1.0    2026-07-02T01:03:43     Information published. 3.0    2026-07-08T14:44:19     Information published. 4.0    2026-07-09T01:44:25     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53327 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53327 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53337 MITRE NVD |
CVE Title: net: bonding: fix NULL pointer dereference in bond_do_ioctl()
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-02T14:44:17     Information published. 1.0    2026-07-02T01:03:49     Information published. 3.0    2026-07-09T14:50:04     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53337 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53337 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53356 MITRE NVD |
CVE Title: drm/i915/gem: Fix phys BO pread/pwrite with offset
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:04:52     Information published. 2.0    2026-07-02T14:45:14     Information published. 3.0    2026-07-09T14:50:52     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53356 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.1 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53356 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53353 MITRE NVD |
CVE Title: hsr: Remove WARN_ONCE() in hsr_addr_is_self().
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:04:26     Information published. 2.0    2026-07-02T14:44:49     Information published. 3.0    2026-07-09T14:50:20     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53353 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53353 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53339 MITRE NVD |
CVE Title: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-02T01:05:05     Information published. 2.0    2026-07-02T14:45:26     Information published. 3.0    2026-07-09T01:45:03     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53339 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.5 Temporal: 5.5 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-53339 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-49090 MITRE NVD |
CVE Title: Uncontrolled Resource Consumption in Elasticsearch Leading to Denial of Service
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T01:01:57     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-49090 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 rubygem-elasticsearch 8.9.0-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.5 Temporal: 6.5 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-49090 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-53357 MITRE NVD |
CVE Title: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-03T01:02:18     Information published. 2.0    2026-07-09T14:38:55     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-53357 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.9 Temporal: 5.9 Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-53357 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-9079 MITRE NVD |
CVE Title: stale proxy password leak
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-06T14:46:14     Information published. 4.0    2026-07-12T14:47:37     Information published. 1.0    2026-07-04T01:04:07     Information published. 3.0    2026-07-09T01:46:04     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-9079 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 cmake 3.30.3-14 on Azure Linux 3.0 | Important | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Important | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Important | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Important | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-9079 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-8927 MITRE NVD |
CVE Title: env-set cross-proxy Digest auth state leak
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-06T14:45:49     Information published. 3.0    2026-07-09T01:49:26     Information published. 1.0    2026-07-04T01:03:49     Information published. 4.0    2026-07-12T14:47:16     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-8927 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 cmake 3.30.3-14 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
No |
| azl3 mysql 8.0.46-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| azl3 tensorflow 2.16.1-11 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-8927 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-12064 MITRE NVD |
CVE Title: proto-default skips SSH verification
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 2.0    2026-07-06T14:47:07     Information published. 3.0    2026-07-09T01:48:39     Information published. 4.0    2026-07-12T14:48:43     Information published. 1.0    2026-07-04T01:06:31     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-12064 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 curl 8.11.1-9 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.4 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
No |
| azl3 rust 1.75.0-30 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Unknown | |
| azl3 rust 1.90.0-9 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.4 Temporal: 7.4 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-12064 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-54891 MITRE NVD |
CVE Title: Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-07T01:01:28     Information published. 2.0    2026-07-09T01:50:30     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-54891 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 erlang 26.2.5.21-2 on Azure Linux 3.0 | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-54891 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56001 MITRE NVD |
CVE Title: libXfont2 BitmapScaleBitmaps Integer Overflow Heap Buffer Overflow
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:02:00     Information published. 2.0    2026-07-12T14:52:55     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56001 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 libXfont2 2.0.6-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 8.5 Temporal: 7.8 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56001 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56003 MITRE NVD |
CVE Title: libXfont2 computeProps Property Buffer Heap Buffer Overflow
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:02:07     Information published. 2.0    2026-07-12T14:53:12     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56003 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 libXfont2 2.0.6-1 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 8.5 Temporal: 7.8 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U |
No |
| CVE ID | Acknowledgements |
| CVE-2026-56003 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55999 MITRE NVD |
CVE Title: xorg-server / xwayland glamor font atlas Heap Buffer Overflow
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:02:20     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55999 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 wayland 1.22.0-1 on Azure Linux 3.0 | Important | Unknown | None | Base: 8.5 Temporal: 8.5 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-55999 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-14191 MITRE NVD |
CVE Title: WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-09T01:02:39     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14191 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 clamav 1.5.2-3 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.8 Temporal: 7.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-14191 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59818 MITRE NVD |
CVE Title: etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-10T01:01:17     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59818 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 etcd 3.5.30-2 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 6.5 Temporal: 6.0 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59818 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-56289 MITRE NVD |
CVE Title: Loop with Unreachable Exit Condition in GNU patch
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-10T01:01:27     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-56289 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 kpatch 0.9.8-3 on Azure Linux 3.0 | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| azl3 patch 2.7.6-9 on Azure Linux 3.0 | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-56289 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-20213 MITRE NVD |
CVE Title: ClamAV PE File Format Processing Out-of-Bounds Memory Corruption Vulnerability
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:01:22     Information published. 2.0    2026-07-12T14:55:43     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-20213 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 clamav 1.5.2-3 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-20213 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-20243 MITRE NVD |
CVE Title: ClamAV ALZ Archive Processing Denial of Service Vulnerability
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:01:53     Information published. 2.0    2026-07-12T14:57:23     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-20243 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 clamav 1.5.2-3 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
No |
| CVE ID | Acknowledgements |
| CVE-2026-20243 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-14461 MITRE NVD |
CVE Title: Out-of-bound read in mtr
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:04:28     Information published. 2.0    2026-07-14T01:39:17     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14461 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 mtr 0.95-3 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14461 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-14739 MITRE NVD |
CVE Title: DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:06:33     Information published. 2.0    2026-07-12T14:58:16     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-14739 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 perl-DBI 1.643-5 on Azure Linux 3.0 | CBL-Mariner Releases (Security Update) | Important | Unknown | None | Base: 8.6 Temporal: 7.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U |
No |
| CVE ID | Acknowledgements |
| CVE-2026-14739 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59928 MITRE NVD |
CVE Title: Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:06:53     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59928 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59928 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59922 MITRE NVD |
CVE Title: Mistune plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and `^^x^^` markers (strikethrough / mark / insert)
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:07:11     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59922 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 python-mistune 3.3.0-1 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59922 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59869 MITRE NVD |
CVE Title: js-yaml: YAML merge-key chains can force quadratic CPU consumption
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:07:43     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59869 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 python-tensorboard 2.16.2-6 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59869 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-58250 MITRE NVD |
CVE Title: NATS Server: Pre-auth server crash via double INFO in leafnode handshake
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-11T01:08:08     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-58250 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 telegraf 1.31.0-23 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 7.5 Temporal: 6.9 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-58250 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-15308 MITRE NVD |
CVE Title: Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-12T01:01:27     Information published. 2.0    2026-07-13T14:41:16     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-15308 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 python3 3.12.9-13 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-15308 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59871 MITRE NVD |
CVE Title: node-tar: Process crash via PAX numeric path type confusion
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-12T01:01:34     Information published. 2.0    2026-07-13T14:41:21     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59871 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 tar 1.35-2 on Azure Linux 3.0 | Moderate | Unknown | None | Base: 5.3 Temporal: 5.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59871 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59873 MITRE NVD |
CVE Title: node-tar: Decompression/parse DoS via unlimited input
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-12T01:01:40     Information published. 2.0    2026-07-13T14:41:27     Information published. |
Critical | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59873 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 tar 1.35-2 on Azure Linux 3.0 | Critical | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59873 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-59874 MITRE NVD |
CVE Title: node-tar: Negative tar entry size causes infinite loop in archive replace
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-12T01:01:47     Information published. 2.0    2026-07-13T14:41:33     Information published. |
Important | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-59874 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 tar 1.35-2 on Azure Linux 3.0 | Important | Unknown | None | Base: 7.5 Temporal: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-59874 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-40553 MITRE NVD |
CVE Title: Stack-based buffer overflow in gawk
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T01:01:22     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-40553 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 gawk 5.2.2-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-40553 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-40469 MITRE NVD |
CVE Title: Heap buffer overflow in gawk
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T01:01:29     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-40469 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 gawk 5.2.2-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-40469 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-40467 MITRE NVD |
CVE Title: Use after free in gawk
Description: Unknown FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T01:01:41     Information published. |
Moderate | Unknown |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-40467 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| azl3 gawk 5.2.2-1 on Azure Linux 3.0 | Moderate | Unknown | None | Base: N/A Temporal: N/A Vector: N/A |
Unknown | |
| CVE ID | Acknowledgements |
| CVE-2026-40467 | None |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55005 MITRE NVD |
CVE Title: Microsoft Exchange Server Remote Code Execution Vulnerability
Description: Heap-based buffer overflow in Microsoft Exchange Server allows an authorized attacker to execute code over a network. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Remote Code Execution |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55005 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Exchange Server 2016 Cumulative Update 23 | 5103215 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server 2019 Cumulative Update 14 | 5103214 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server 2019 Cumulative Update 15 | 5103213 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server Subscription Edition RTM | 5103212 (Security Update) | Important | Remote Code Execution | None | Base: 8.8 Temporal: 7.7 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-55005 | kunlun Lab & GLM kunlun Lab & GLM |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55006 MITRE NVD |
CVE Title: Microsoft Exchange Server Elevation of Privilege Vulnerability
Description: Insufficient granularity of access control in Microsoft Exchange Server allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Less Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55006 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Exchange Server 2016 Cumulative Update 23 | 5103215 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server 2019 Cumulative Update 14 | 5103214 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server 2019 Cumulative Update 15 | 5103213 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server Subscription Edition RTM | 5103212 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-55006 | MARIOS GYFTOS |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55008 MITRE NVD |
CVE Title: Microsoft Exchange Server Spoofing Vulnerability
Description: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. FAQ: How could an attacker exploit this vulnerability? An attacker could exploit this issue by sending a specifically crafted malicious email to the user. If the user opens this email, in Outlook Web Access, and certain conditions are met, arbitrary execution of JavaScript would occur in the browser context. Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Critical | Spoofing |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation More Likely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55008 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Exchange Server 2016 Cumulative Update 23 | 5103215 (Security Update) | Critical | Spoofing | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server 2019 Cumulative Update 14 | 5103214 (Security Update) | Critical | Spoofing | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server 2019 Cumulative Update 15 | 5103213 (Security Update) | Critical | Spoofing | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server Subscription Edition RTM | 5103212 (Security Update) | Critical | Spoofing | None | Base: 9.6 Temporal: 8.3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-55008 | Michael Maturi with Google |
| CVE ID | Vulnerability Description | Maximum Severity Rating | Vulnerability Impact |
| CVE-2026-55009 MITRE NVD |
CVE Title: Microsoft Exchange Server Elevation of Privilege Vulnerability
Description: Deserialization of untrusted data in Microsoft Exchange Server allows an authorized attacker to elevate privileges locally. FAQ: None Mitigations: None Workarounds: None Revision: 1.0    2026-07-14T07:00:00     Information published. |
Important | Elevation of Privilege |
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month. The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.
| Exploitability Assessment for Latest Software Release | Exploitability Assessment for Older Software Release | Denial of Service Exploitability Assessment | Publicly Disclosed | Exploited |
| Exploitation Unlikely | Not Found | Not Applicable | No | No |
The following tables list the affected software details for the vulnerability.
| CVE-2026-55009 | ||||||
| Product | KB Article | Severity | Impact | Supersedence | CVSS Score Set | Restart Required |
| Microsoft Exchange Server 2016 Cumulative Update 23 | 5103215 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server 2019 Cumulative Update 14 | 5103214 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server 2019 Cumulative Update 15 | 5103213 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| Microsoft Exchange Server Subscription Edition RTM | 5103212 (Security Update) | Important | Elevation of Privilege | None | Base: 7.8 Temporal: 6.8 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C |
Yes |
| CVE ID | Acknowledgements |
| CVE-2026-55009 | Anonymous |